diff --git a/.gitignore b/.gitignore
index e9aa4a717..896009d10 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@
/autogen/
/traefik
/traefik.toml
+/traefik.yml
*.log
*.exe
cover.out
diff --git a/.golangci.toml b/.golangci.toml
index cefb36603..eeb123a15 100644
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -36,6 +36,8 @@
"scopelint",
"gochecknoinits",
"gochecknoglobals",
+ # uncomment when the CI will be updated
+ # "bodyclose", # Too many false-positive and panics.
]
[issues]
@@ -72,7 +74,7 @@
path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
text = "(U1000: func )?`(.+)` is unused"
[[issues.exclude-rules]]
- path = "pkg/provider/label/internal/.+_test.go"
+ path = "pkg/config/parser/.+_test.go"
text = "U1000: field `(foo|fuu)` is unused"
[[issues.exclude-rules]]
path = "pkg/server/service/bufferpool.go"
diff --git a/.semaphoreci/job2.sh b/.semaphoreci/job2.sh
index 68c21a281..f6d6939d3 100755
--- a/.semaphoreci/job2.sh
+++ b/.semaphoreci/job2.sh
@@ -5,4 +5,4 @@ ci_retry make validate
if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-if [ -n "$SHOULD_TEST" ]; then make -j${N_MAKE_JOBS} crossbinary-default-parallel; fi
+if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi
diff --git a/.semaphoreci/setup.sh b/.semaphoreci/setup.sh
index 9eeec0b10..49ff70463 100755
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -3,9 +3,10 @@ set -e
export DOCKER_VERSION=17.03.1
+# shellcheck source=/dev/null
source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R); fi
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/"${PULL_REQUEST_NUMBER}".diff | patch --dry-run -p1 -R); fi
if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
diff --git a/.semaphoreci/vars b/.semaphoreci/vars
index 4f945f666..631289c78 100644
--- a/.semaphoreci/vars
+++ b/.semaphoreci/vars
@@ -24,8 +24,8 @@ function ci_retry {
until [ $n -ge $NRETRY ]
do
"$@" && break
- n=$[$n+1]
- echo "$@ failed, attempt ${n}/${NRETRY}"
+ n=$((n+1))
+ echo "${*} failed, attempt ${n}/${NRETRY}"
sleep $NSLEEP
done
@@ -34,4 +34,3 @@ function ci_retry {
}
export -f ci_retry
-
diff --git a/.travis.yml b/.travis.yml
index b71d4949f..45c8eb33e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -38,7 +38,6 @@ deploy:
file: dist/traefik*
skip_cleanup: true
file_glob: true
- draft: true
on:
repo: containous/traefik
tags: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4909bde4d..dcc8da153 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,101 @@
# Change Log
+## [v2.0.0-alpha6](https://github.com/containous/traefik/tree/v2.0.0-alpha6) (2019-06-18)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha5...v2.0.0-alpha6)
+
+**Bug fixes:**
+- **[cli]** Don't allow non flag arguments by default. ([#4970](https://github.com/containous/traefik/pull/4970) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[middleware,k8s/crd]** doc: fix middleware names for CRD. ([#4966](https://github.com/containous/traefik/pull/4966) by [ldez](https://github.com/ldez))
+- **[middleware]** Kubernetes CRD documentation fixes ([#4971](https://github.com/containous/traefik/pull/4971) by [orhanhenrik](https://github.com/orhanhenrik))
+
+## [v2.0.0-alpha5](https://github.com/containous/traefik/tree/v2.0.0-alpha5) (2019-06-17)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha4...v2.0.0-alpha5)
+
+**Enhancements:**
+- **[acme]** Remove timeout/interval from the ACME Provider ([#4842](https://github.com/containous/traefik/pull/4842) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[api]** API: expose runtime representation ([#4841](https://github.com/containous/traefik/pull/4841) by [mpl](https://github.com/mpl))
+- **[cli]** New static configuration loading system. ([#4935](https://github.com/containous/traefik/pull/4935) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,tcp]** Add support for TCP (in kubernetes CRD) ([#4885](https://github.com/containous/traefik/pull/4885) by [mpl](https://github.com/mpl))
+- **[server]** Rework loadbalancer support ([#4933](https://github.com/containous/traefik/pull/4933) by [juliens](https://github.com/juliens))
+- **[sticky-session]** HttpOnly and Secure flags on the affinity cookie ([#4947](https://github.com/containous/traefik/pull/4947) by [gheibia](https://github.com/gheibia))
+- **[tls]** Define TLS options on the Router configuration ([#4931](https://github.com/containous/traefik/pull/4931) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[tracing]** Added support for Haystack tracing ([#4555](https://github.com/containous/traefik/pull/4555) by [aantono](https://github.com/aantono))
+
+**Bug fixes:**
+- **[logs]** Fix typos in data collection message ([#4891](https://github.com/containous/traefik/pull/4891) by [mpl](https://github.com/mpl))
+- **[middleware]** change doc references to scheme[Rr]edirect -> redirect[Ss]cheme ([#4959](https://github.com/containous/traefik/pull/4959) by [topiaruss](https://github.com/topiaruss))
+- **[rules]** Allow matching with FQDN hosts with trailing periods ([#4763](https://github.com/containous/traefik/pull/4763) by [dtomcej](https://github.com/dtomcej))
+- **[tcp]** Remove first byte wait when tcp catches all ([#4938](https://github.com/containous/traefik/pull/4938) by [juliens](https://github.com/juliens))
+- **[tcp]** Don't add TCP proxy when error occurs during creation. ([#4858](https://github.com/containous/traefik/pull/4858) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Add note about ACME renewal ([#4860](https://github.com/containous/traefik/pull/4860) by [dtomcej](https://github.com/dtomcej))
+- **[docker]** Remove traefik.port from documentation ([#4886](https://github.com/containous/traefik/pull/4886) by [ldez](https://github.com/ldez))
+- **[docker]** Clarify docs with labels in Swarm Mode ([#4847](https://github.com/containous/traefik/pull/4847) by [mikesir87](https://github.com/mikesir87))
+- **[k8s]** Fix typo in the CRD documentation ([#4902](https://github.com/containous/traefik/pull/4902) by [llussy](https://github.com/llussy))
+- **[middleware,provider]** fix the documentation about middleware labels. ([#4888](https://github.com/containous/traefik/pull/4888) by [ldez](https://github.com/ldez))
+- **[middleware]** Review documentation ([#4798](https://github.com/containous/traefik/pull/4798) by [ldez](https://github.com/ldez))
+- **[middleware]** compress link fixed ([#4817](https://github.com/containous/traefik/pull/4817) by [gato](https://github.com/gato))
+- **[middleware]** Fix strip prefix documentation ([#4829](https://github.com/containous/traefik/pull/4829) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Fix Kubernetes Docs for Middlewares ([#4943](https://github.com/containous/traefik/pull/4943) by [HurricanKai](https://github.com/HurricanKai))
+- **[middleware]** Correct typo in documentation on rate limiting ([#4939](https://github.com/containous/traefik/pull/4939) by [ableuler](https://github.com/ableuler))
+- **[middleware]** docker-compose basic auth needs double dollar signs ([#4831](https://github.com/containous/traefik/pull/4831) by [muhlemmer](https://github.com/muhlemmer))
+- **[middleware]** Adds a reference to the middleware overview. ([#4824](https://github.com/containous/traefik/pull/4824) by [ldez](https://github.com/ldez))
+- **[middleware]** Update headers middleware docs for kubernetes crd ([#4955](https://github.com/containous/traefik/pull/4955) by [orhanhenrik](https://github.com/orhanhenrik))
+- **[rancher]** fix: Rancher documentation. ([#4818](https://github.com/containous/traefik/pull/4818) by [ldez](https://github.com/ldez))
+- **[rancher]** Specify that Rancher provider is for 1.x only ([#4923](https://github.com/containous/traefik/pull/4923) by [bradjones1](https://github.com/bradjones1))
+- **[tls]** fix: typo in routing example. ([#4849](https://github.com/containous/traefik/pull/4849) by [ldez](https://github.com/ldez))
+- Clarification of the correct pronunciation of the word "Traefik" ([#4834](https://github.com/containous/traefik/pull/4834) by [ylamlum-g4m](https://github.com/ylamlum-g4m))
+- Fix typos in documentation ([#4884](https://github.com/containous/traefik/pull/4884) by [michael-k](https://github.com/michael-k))
+- Entry points CLI description. ([#4896](https://github.com/containous/traefik/pull/4896) by [ldez](https://github.com/ldez))
+- Improve the "reading path" for new contributors ([#4908](https://github.com/containous/traefik/pull/4908) by [dduportal](https://github.com/dduportal))
+- Fixed spelling typo ([#4848](https://github.com/containous/traefik/pull/4848) by [mikesir87](https://github.com/mikesir87))
+- Fixed readme misspelling ([#4882](https://github.com/containous/traefik/pull/4882) by [antondalgren](https://github.com/antondalgren))
+- Minor fix in documentation ([#4811](https://github.com/containous/traefik/pull/4811) by [mmatur](https://github.com/mmatur))
+- Add Mathieu Lonjaret to maintainers ([#4950](https://github.com/containous/traefik/pull/4950) by [emilevauge](https://github.com/emilevauge))
+- Fix a typo in documentation ([#4794](https://github.com/containous/traefik/pull/4794) by [groovytron](https://github.com/groovytron))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#4948](https://github.com/containous/traefik/pull/4948) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into v2.0 ([#4823](https://github.com/containous/traefik/pull/4823) by [ldez](https://github.com/ldez))
+
+## [v1.7.12](https://github.com/containous/traefik/tree/v1.7.12) (2019-05-29)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.11...v1.7.12)
+
+**Bug fixes:**
+- **[acme]** Allow SANs for wildcards domain. ([#4821](https://github.com/containous/traefik/pull/4821) by [vizv](https://github.com/vizv))
+- **[acme]** fix: update lego. ([#4910](https://github.com/containous/traefik/pull/4910) by [ldez](https://github.com/ldez))
+- **[api,authentication]** Remove authentication hashes from API ([#4918](https://github.com/containous/traefik/pull/4918) by [ldez](https://github.com/ldez))
+- **[consul]** Enhance KV logs. ([#4877](https://github.com/containous/traefik/pull/4877) by [ldez](https://github.com/ldez))
+- **[k8s]** Fix kubernetes template for backend responseforwarding flushinterval setting ([#4901](https://github.com/containous/traefik/pull/4901) by [ravilr](https://github.com/ravilr))
+- **[metrics]** Upgraded DataDog tracing library to 1.13.0 ([#4878](https://github.com/containous/traefik/pull/4878) by [aantono](https://github.com/aantono))
+- **[server]** Add missing callback on close of hijacked connections ([#4900](https://github.com/containous/traefik/pull/4900) by [ravilr](https://github.com/ravilr))
+
+**Documentation:**
+- **[docker]** Docs: Troubleshooting help for Docker Swarm labels ([#4751](https://github.com/containous/traefik/pull/4751) by [gregberns](https://github.com/gregberns))
+- **[logs]** Adds a log fields documentation. ([#4890](https://github.com/containous/traefik/pull/4890) by [ldez](https://github.com/ldez))
+
+## [v1.7.11](https://github.com/containous/traefik/tree/v1.7.11) (2019-04-26)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.10...v1.7.11)
+
+**Enhancements:**
+- **[k8s,k8s/ingress]** Enhance k8s tests maintainability ([#4696](https://github.com/containous/traefik/pull/4696) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[acme]** fix: update lego. ([#4800](https://github.com/containous/traefik/pull/4800) by [ldez](https://github.com/ldez))
+- **[authentication,middleware]** Forward all header values from forward auth response ([#4515](https://github.com/containous/traefik/pull/4515) by [ctas582](https://github.com/ctas582))
+- **[cluster]** Remove usage of github.com/satori/go.uuid ([#4722](https://github.com/containous/traefik/pull/4722) by [aaslamin](https://github.com/aaslamin))
+- **[kv]** Enhance KV client error management ([#4819](https://github.com/containous/traefik/pull/4819) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[tls]** Improve log message about redundant TLS certificate ([#4765](https://github.com/containous/traefik/pull/4765) by [mpl](https://github.com/mpl))
+- **[tracing]** Update zipkin-go-opentracing. ([#4720](https://github.com/containous/traefik/pull/4720) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Documentation Update: Hosting.de wildcard support tested ([#4747](https://github.com/containous/traefik/pull/4747) by [martinhoefling](https://github.com/martinhoefling))
+- **[acme]** Update Wildcard Domain documentation ([#4682](https://github.com/containous/traefik/pull/4682) by [DWSR](https://github.com/DWSR))
+- **[middleware]** Keep consistent order ([#4690](https://github.com/containous/traefik/pull/4690) by [maxifom](https://github.com/maxifom))
+
## [v2.0.0-alpha4](https://github.com/containous/traefik/tree/v2.0.0-alpha4) (2019-04-17)
[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha3...v2.0.0-alpha4)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9a3a3a66c..6279fa377 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,3 +1,3 @@
# Contributing
-See https://docs.traefik.io.
+See .
diff --git a/Gopkg.lock b/Gopkg.lock
index 17f8591c3..ad88768f6 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -54,6 +54,14 @@
pruneopts = "NUT"
revision = "a368813c5e648fee92e5f6c30e3944ff9d5e8895"
+[[projects]]
+ digest = "1:be4a03871fbc5250d19bcbc2d2b21c3c58fd97b048de64ec1ff4c8e3890d4f1b"
+ name = "github.com/ExpediaDotCom/haystack-client-go"
+ packages = ["."]
+ pruneopts = "NUT"
+ revision = "e7edbdf53a61a82ed143809088ed582312ff7e36"
+ version = "0.2.3"
+
[[projects]]
digest = "1:ab7fee312bbdc8070d0325d841de8704cc78bf032b076200f1458659b74b8ed6"
name = "github.com/JamesClonk/vultr"
@@ -143,12 +151,9 @@
[[projects]]
branch = "master"
- digest = "1:28be1959f81e9a6dec3058768a4c4535cf73fcd6e171d21688ad0a7fdf49d43a"
+ digest = "1:d37d0fa13c422a0b85981fe42ff8f176885921294cf0c3ce585c160669cc32bb"
name = "github.com/abronan/valkeyrie"
- packages = [
- ".",
- "store",
- ]
+ packages = ["store"]
pruneopts = "NUT"
revision = "063d875e3c5fd734fa2aa12fac83829f62acfc70"
@@ -287,17 +292,6 @@
pruneopts = "NUT"
revision = "d83ebdd94cbdbcd9c6c6a22e1a0cde05e55d9d90"
-[[projects]]
- digest = "1:3cd675d508d3f9067704d36011c7a262fc0a0bf1ad0361a7d1e60a405d12941e"
- name = "github.com/containous/flaeg"
- packages = [
- ".",
- "parse",
- ]
- pruneopts = "NUT"
- revision = "c93d194b807ef171c43344d60adad8b58217390a"
- version = "v1.4.1"
-
[[projects]]
branch = "master"
digest = "1:3a789aa5487458c1fc913b47be763e5906e1524f1143acb8617287866184f9a7"
@@ -306,14 +300,6 @@
pruneopts = "NUT"
revision = "c33f32e268983f989290677351b871b65da75ba5"
-[[projects]]
- digest = "1:a4f16a1b72349621b887bde88f458da518160abcb600eae3d591d8a2afa78bda"
- name = "github.com/containous/staert"
- packages = ["."]
- pruneopts = "NUT"
- revision = "7a9987c3a6d46be84e141a5c3191347ec10af17d"
- version = "v3.1.2"
-
[[projects]]
digest = "1:fa91847d50d3f656fc2d2d608b9749b97d77528e8988ad8001f957640545e91e"
name = "github.com/coreos/go-systemd"
@@ -598,7 +584,7 @@
revision = "73d445a93680fa1a78ae23a5839bad48f32ba1ee"
[[projects]]
- digest = "1:a04af13190b67ff69cf8fcd79ee133a24c4a7a900cacbc296261dd43f3fbde5c"
+ digest = "1:d82b2dc81c551e7c15f31523a2cc8ee9121b39cfbf63174d98a0bc8edf2d3c5e"
name = "github.com/go-acme/lego"
packages = [
"acme",
@@ -622,6 +608,7 @@
"providers/dns/alidns",
"providers/dns/auroradns",
"providers/dns/azure",
+ "providers/dns/bindman",
"providers/dns/bluecat",
"providers/dns/cloudflare",
"providers/dns/cloudns",
@@ -640,6 +627,7 @@
"providers/dns/dreamhost",
"providers/dns/duckdns",
"providers/dns/dyn",
+ "providers/dns/easydns",
"providers/dns/exec",
"providers/dns/exoscale",
"providers/dns/fastdns",
@@ -652,6 +640,7 @@
"providers/dns/httpreq",
"providers/dns/iij",
"providers/dns/inwx",
+ "providers/dns/joker",
"providers/dns/lightsail",
"providers/dns/linode",
"providers/dns/linodev4",
@@ -683,8 +672,8 @@
"registration",
]
pruneopts = "NUT"
- revision = "aaecc1ca7254190b71c5f01f57ee3bb6701bc937"
- version = "v2.4.0"
+ revision = "01903cdfb9869df45cf5274c53226823a2532f2d"
+ version = "v2.6.0"
[[projects]]
branch = "fork-containous"
@@ -695,6 +684,14 @@
revision = "ca0bf163426aa183d03fd4949101785c0347f273"
source = "github.com/containous/check"
+[[projects]]
+ digest = "1:ea1d5bfdb4ec5c2ee48c97865e6de1a28fa8c4849a3f56b27d521aa619038e06"
+ name = "github.com/go-errors/errors"
+ packages = ["."]
+ pruneopts = "NUT"
+ revision = "a6af135bd4e28680facf08a3d206b454abc877a4"
+ version = "v1.0.1"
+
[[projects]]
digest = "1:5e92676b56ce4c69edf9ee1f6343c56f637e30af11b9d8b5edd1b6530f3fbc3d"
name = "github.com/go-ini/ini"
@@ -765,7 +762,7 @@
revision = "44145f04b68cf362d9c4df2182967c2275eaefed"
[[projects]]
- digest = "1:03e14cff610a8a58b774e36bd337fa979482be86aab01be81fb8bbd6d0f07fc8"
+ digest = "1:2d0636a8c490d2272dd725db26f74a537111b99b9dbdda0d8b98febe63702aa4"
name = "github.com/golang/protobuf"
packages = [
"proto",
@@ -775,8 +772,8 @@
"ptypes/timestamp",
]
pruneopts = "NUT"
- revision = "b4deda0973fb4c70b50d226b1af49f3da59f5265"
- version = "v1.1.0"
+ revision = "b5d812f8a3706043e23a9cd5babf2e5423744d30"
+ version = "v1.3.1"
[[projects]]
branch = "master"
@@ -1014,6 +1011,25 @@
pruneopts = "NUT"
revision = "b84e30acd515aadc4b783ad4ff83aff3299bdfe0"
+[[projects]]
+ digest = "1:1082aeb059ff66b4fb6da53f9e7591726c6a81901f05ce48a470091784b23914"
+ name = "github.com/labbsr0x/bindman-dns-webhook"
+ packages = [
+ "src/client",
+ "src/types",
+ ]
+ pruneopts = "NUT"
+ revision = "234ca2a50eebc2095f42a884709a6e9013366d86"
+ version = "v1.0.0"
+
+[[projects]]
+ branch = "master"
+ digest = "1:ad2a63b2d6dfe7d66bf14c01f1171a3951abef6e0fb136170359c3f7c4f51615"
+ name = "github.com/labbsr0x/goh"
+ packages = ["gohclient"]
+ pruneopts = "NUT"
+ revision = "60aa50bcbca768de1b8d37d7185daab4cf023ed2"
+
[[projects]]
branch = "master"
digest = "1:5a96e1f04259484b3dd183ca95d1e7bff768b1bab36c530e308a8d56243b50c7"
@@ -1190,14 +1206,6 @@
revision = "d8152159450570012552f924a0ae6ab3d8c617e0"
version = "v0.6.0"
-[[projects]]
- branch = "master"
- digest = "1:95d27e49401b61dd203a4cf8237037bd6cd49599651f855ac1988c4ae27b090e"
- name = "github.com/ogier/pflag"
- packages = ["."]
- pruneopts = "NUT"
- revision = "45c278ab3607870051a2ea9040bb85fcb8557481"
-
[[projects]]
digest = "1:69e47979091e47a10e5ff0e2776ca71aa3e884238ce446bd71e246878ba0858d"
name = "github.com/opencontainers/go-digest"
@@ -1416,17 +1424,18 @@
revision = "256dc444b735e061061cf46c809487313d5b0065"
[[projects]]
- branch = "master"
- digest = "1:fff470b0a7bbf05cfe8bfc73bfdf4d21eb009ea84e601f3d27781474e5da960f"
+ digest = "1:253f275bd72c42f8d234712d1574c8b222fe9b72838bfaca11b21ace9c0e3d0a"
name = "github.com/sacloud/libsacloud"
packages = [
".",
"api",
"sacloud",
"sacloud/ostype",
+ "utils/mutexkv",
]
pruneopts = "NUT"
- revision = "306ea89b6ef19334614f7b0fc5aa19595022bb8c"
+ revision = "41c392dee98a83260abbe0fcd5c13beb7c75d103"
+ version = "v1.21.1"
[[projects]]
digest = "1:6bc0652ea6e39e22ccd522458b8bdd8665bf23bdc5a20eec90056e4dc7e273ca"
@@ -1480,13 +1489,6 @@
pruneopts = "NUT"
revision = "c4434f09ec131ecf30f986d5dcb1636508bfa49a"
-[[projects]]
- digest = "1:84b9a5318d8ce3b8a9b1509bf15734f4f9dcd4decf9d9e9c7346a16c7b64d49e"
- name = "github.com/thoas/stats"
- packages = ["."]
- pruneopts = "NUT"
- revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
-
[[projects]]
branch = "master"
digest = "1:99ce99ce6d6d0cbc5f822cda92095906e01d5546d60999ac839ab008938e4e17"
@@ -1580,7 +1582,7 @@
[[projects]]
branch = "master"
- digest = "1:c878a802780168c80738d74607d14e7cb8765706990ae1260a3fd271c2c3b133"
+ digest = "1:d7ace03de79a9cec30e7a55cc16160602760470c5fe031b780dc2d84234d7f5a"
name = "github.com/vulcand/oxy"
packages = [
"buffer",
@@ -1593,7 +1595,7 @@
"utils",
]
pruneopts = "NUT"
- revision = "c34b0c501e43223bc816ac9b40b0ac29c44c8952"
+ revision = "3d629cff40b7040e0519628e7774ed11a95d9aff"
[[projects]]
digest = "1:ca6bac407fedc14fbeeba861dd33a821ba3a1624c10126ec6003b0a28d4139c5"
@@ -1626,6 +1628,42 @@
pruneopts = "NUT"
revision = "0c8571ac0ce161a5feb57375a9cdf148c98c0f70"
+[[projects]]
+ digest = "1:aafe0319af5410fb19a23a575ea6ee4b14253e122ef87f936bac65ea1e6b280c"
+ name = "go.opencensus.io"
+ packages = [
+ ".",
+ "internal",
+ "internal/tagencoding",
+ "metric/metricdata",
+ "metric/metricproducer",
+ "plugin/ochttp",
+ "plugin/ochttp/propagation/b3",
+ "resource",
+ "stats",
+ "stats/internal",
+ "stats/view",
+ "tag",
+ "trace",
+ "trace/internal",
+ "trace/propagation",
+ "trace/tracestate",
+ ]
+ pruneopts = "NUT"
+ revision = "df6e2001952312404b06f5f6f03fcb4aec1648e5"
+ version = "v0.21.0"
+
+[[projects]]
+ branch = "master"
+ digest = "1:02fe59517e10f9b400b500af8ac228c74cecb0cba7a5f438d8283edb97e14270"
+ name = "go.uber.org/ratelimit"
+ packages = [
+ ".",
+ "internal/clock",
+ ]
+ pruneopts = "NUT"
+ revision = "c15da02342779cb6dc027fc95ee2277787698f36"
+
[[projects]]
branch = "master"
digest = "1:30c1930f8c9fee79f3af60c8b7cd92edd12a4f22187f5527d53509b1a794f555"
@@ -1687,15 +1725,14 @@
revision = "ec22f46f877b4505e0117eeaab541714644fdd28"
[[projects]]
- branch = "master"
- digest = "1:4e67fdd7a13cbdb3c0dff0a7505abbdf4f42b12b27da350d66bffdc700db2899"
+ digest = "1:51bfac9fe01b6a949bfed6db70b00bada281f0d64e5296ec644163aa977bfee0"
name = "golang.org/x/sys"
packages = [
"unix",
"windows",
]
pruneopts = "NUT"
- revision = "fff93fa7cd278d84afc205751523809c464168ab"
+ revision = "1c9583448a9c3aa0f9a6a5241bf73c0bd8aafded"
[[projects]]
digest = "1:ca9ebfc1200ca7423d9778dba9cdd463704753541c99dc4896f15e0b8b2bf1e8"
@@ -1744,16 +1781,21 @@
[[projects]]
branch = "master"
- digest = "1:da32ebe70dd3ec97d2df26281b08b18d05c2f12491ae79f389813f6c8d3006b3"
+ digest = "1:70c173b8ecc111dd01dc07f0ada72c076e4ed91618ee559312ef8adf154cc539"
name = "google.golang.org/api"
packages = [
"dns/v1",
"gensupport",
"googleapi",
"googleapi/internal/uritemplates",
+ "googleapi/transport",
+ "internal",
+ "option",
+ "transport/http",
+ "transport/http/internal/propagation",
]
pruneopts = "NUT"
- revision = "de943baf05a022a8f921b544b7827bacaba1aed5"
+ revision = "067bed655e9cbc26f4dbac8f8897b30756d90990"
[[projects]]
digest = "1:7206d98ec77c90c72ec2c405181a1dcf86965803b6dbc4f98ceab7a5047c37a9"
@@ -1781,22 +1823,31 @@
revision = "09f6ed296fc66555a25fe4ce95173148778dfa85"
[[projects]]
- digest = "1:a840929a3a2d91282dc853cbd5f586069c14ae373247fb7d4cb4fa02b285326e"
+ digest = "1:ffb498178a6bbe5a877e715cc85a40d5a712883d85f5bf05acf26dbd6c8f71e2"
name = "google.golang.org/grpc"
packages = [
".",
"balancer",
"balancer/base",
"balancer/roundrobin",
- "channelz",
+ "binarylog/grpc_binarylog_v1",
"codes",
"connectivity",
"credentials",
+ "credentials/internal",
"encoding",
"encoding/proto",
- "grpclb/grpc_lb_v1/messages",
"grpclog",
"internal",
+ "internal/backoff",
+ "internal/balancerload",
+ "internal/binarylog",
+ "internal/channelz",
+ "internal/envconfig",
+ "internal/grpcrand",
+ "internal/grpcsync",
+ "internal/syscall",
+ "internal/transport",
"keepalive",
"metadata",
"naming",
@@ -1807,14 +1858,13 @@
"stats",
"status",
"tap",
- "transport",
]
pruneopts = "NUT"
- revision = "41344da2231b913fa3d983840a57a6b1b7b631a1"
- version = "v1.12.0"
+ revision = "25c4f928eaa6d96443009bd842389fb4fa48664e"
+ version = "v1.20.1"
[[projects]]
- digest = "1:b886012746f19e2a7c6c3901ea9f86e8a5e32ff2b4407086f4f3181269976957"
+ digest = "1:b49eceff862a3048ec28dad1fce40bcbdc1703119dbad35d7e5f1beb4f9a4527"
name = "gopkg.in/DataDog/dd-trace-go.v1"
packages = [
"ddtrace",
@@ -1822,10 +1872,11 @@
"ddtrace/internal",
"ddtrace/opentracer",
"ddtrace/tracer",
+ "internal/globalconfig",
]
pruneopts = "NUT"
- revision = "7fb2bce4b1ed6ab61f7a9e1be30dea56de19db7c"
- version = "v1.8.0"
+ revision = "c19e9e56d5b5b71b6507ce1b0ec06d85aa3705a1"
+ version = "v1.14.0"
[[projects]]
digest = "1:c970218a20933dd0a2eb2006de922217fa9276f57d25009b2a934eb1c50031cc"
@@ -2173,6 +2224,7 @@
analyzer-version = 1
input-imports = [
"github.com/BurntSushi/toml",
+ "github.com/ExpediaDotCom/haystack-client-go",
"github.com/Masterminds/sprig",
"github.com/NYTimes/gziphandler",
"github.com/abbot/go-http-auth",
@@ -2180,10 +2232,7 @@
"github.com/armon/go-proxyproto",
"github.com/cenkalti/backoff",
"github.com/containous/alice",
- "github.com/containous/flaeg",
- "github.com/containous/flaeg/parse",
"github.com/containous/mux",
- "github.com/containous/staert",
"github.com/coreos/go-systemd/daemon",
"github.com/davecgh/go-spew/spew",
"github.com/docker/docker/api/types",
@@ -2230,12 +2279,12 @@
"github.com/mitchellh/copystructure",
"github.com/mitchellh/hashstructure",
"github.com/mvdan/xurls",
- "github.com/ogier/pflag",
"github.com/opentracing/opentracing-go",
"github.com/opentracing/opentracing-go/ext",
"github.com/opentracing/opentracing-go/log",
"github.com/openzipkin-contrib/zipkin-go-opentracing",
"github.com/patrickmn/go-cache",
+ "github.com/pmezard/go-difflib/difflib",
"github.com/prometheus/client_golang/prometheus",
"github.com/prometheus/client_golang/prometheus/promhttp",
"github.com/prometheus/client_model/go",
@@ -2246,7 +2295,6 @@
"github.com/stretchr/testify/mock",
"github.com/stretchr/testify/require",
"github.com/stvp/go-udp-testing",
- "github.com/thoas/stats",
"github.com/uber/jaeger-client-go",
"github.com/uber/jaeger-client-go/config",
"github.com/uber/jaeger-client-go/zipkin",
@@ -2271,6 +2319,7 @@
"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/opentracer",
"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer",
"gopkg.in/fsnotify.v1",
+ "gopkg.in/yaml.v2",
"k8s.io/api/core/v1",
"k8s.io/api/extensions/v1beta1",
"k8s.io/apimachinery/pkg/api/errors",
diff --git a/Gopkg.toml b/Gopkg.toml
index b6a718318..7f7fd3244 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -69,10 +69,6 @@ required = [
name = "github.com/cenkalti/backoff"
version = "2.1.1"
-[[constraint]]
- name = "github.com/containous/flaeg"
- version = "1.4.1"
-
[[constraint]]
branch = "master"
name = "github.com/containous/mux"
@@ -81,14 +77,10 @@ required = [
branch = "containous-fork"
name = "github.com/containous/alice"
-[[constraint]]
- name = "github.com/containous/staert"
- version = "3.1.2"
-
-[[constraint]]
- name = "github.com/thoas/stats"
- # related to https://github.com/thoas/stats/pull/32
- revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
+#[[constraint]]
+# name = "github.com/thoas/stats"
+# # related to https://github.com/thoas/stats/pull/32
+# revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
[[constraint]]
name = "github.com/coreos/go-systemd"
@@ -137,9 +129,9 @@ required = [
# branch = "master"
# name = "github.com/jjcollinge/servicefabric"
-[[constraint]]
- branch = "master"
- name = "github.com/abronan/valkeyrie"
+#[[constraint]]
+# branch = "master"
+# name = "github.com/abronan/valkeyrie"
#[[constraint]]
# name = "github.com/mesosphere/mesos-dns"
@@ -193,13 +185,20 @@ required = [
name = "github.com/vulcand/oxy"
[[constraint]]
-# branch = "master"
name = "github.com/go-acme/lego"
- version = "2.4.0"
+ version = "2.6.0"
[[constraint]]
name = "google.golang.org/grpc"
- version = "1.5.2"
+ version = "1.13.0"
+
+[[override]]
+ name = "golang.org/x/sys"
+ revision = "1c9583448a9c3aa0f9a6a5241bf73c0bd8aafded"
+
+[[constraint]]
+ name = "github.com/golang/protobuf"
+ version = "v1.3.0"
[[constraint]]
name = "gopkg.in/fsnotify.v1"
@@ -278,8 +277,12 @@ required = [
[[constraint]]
name = "gopkg.in/DataDog/dd-trace-go.v1"
- version = "1.7.0"
+ version = "1.13.0"
[[constraint]]
name = "github.com/instana/go-sensor"
version = "1.4.12"
+
+[[constraint]]
+ name = "github.com/ExpediaDotCom/haystack-client-go"
+ version = "0.2.3"
diff --git a/Makefile b/Makefile
index 42bd2012c..83bed6228 100644
--- a/Makefile
+++ b/Makefile
@@ -96,10 +96,12 @@ test-integration: $(PRE_TARGET)
## Validate code and docs
validate-files: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+ bash $(CURDIR)/script/validate-shell-script.sh
## Validate code, docs, and vendor
validate: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+ bash $(CURDIR)/script/validate-shell-script.sh
## Clean up static directory and build a Docker Traefik image
build-image: binary
diff --git a/README.md b/README.md
index 3c83ed1d0..6c71fe473 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@
[![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
-Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
+Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
diff --git a/cmd/configuration.go b/cmd/configuration.go
index 643003112..795026e7a 100644
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -3,40 +3,27 @@ package cmd
import (
"time"
- "github.com/containous/flaeg/parse"
"github.com/containous/traefik/pkg/config/static"
- "github.com/containous/traefik/pkg/middlewares/accesslog"
- "github.com/containous/traefik/pkg/ping"
- "github.com/containous/traefik/pkg/provider/docker"
- "github.com/containous/traefik/pkg/provider/file"
- "github.com/containous/traefik/pkg/provider/kubernetes/ingress"
- "github.com/containous/traefik/pkg/provider/marathon"
- "github.com/containous/traefik/pkg/provider/rancher"
- "github.com/containous/traefik/pkg/provider/rest"
- "github.com/containous/traefik/pkg/tracing/datadog"
- "github.com/containous/traefik/pkg/tracing/instana"
- "github.com/containous/traefik/pkg/tracing/jaeger"
- "github.com/containous/traefik/pkg/tracing/zipkin"
"github.com/containous/traefik/pkg/types"
- jaegercli "github.com/uber/jaeger-client-go"
)
-// TraefikConfiguration holds GlobalConfiguration and other stuff
-type TraefikConfiguration struct {
- static.Configuration `mapstructure:",squash" export:"true"`
- ConfigFile string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
+// TraefikCmdConfiguration wraps the static configuration and extra parameters.
+type TraefikCmdConfiguration struct {
+ static.Configuration `export:"true"`
+ // ConfigFile is the path to the configuration file.
+ ConfigFile string `description:"Configuration file to use. If specified all other flags are ignored." export:"true"`
}
-// NewTraefikConfiguration creates a TraefikConfiguration with default values
-func NewTraefikConfiguration() *TraefikConfiguration {
- return &TraefikConfiguration{
+// NewTraefikConfiguration creates a TraefikCmdConfiguration with default values.
+func NewTraefikConfiguration() *TraefikCmdConfiguration {
+ return &TraefikCmdConfiguration{
Configuration: static.Configuration{
Global: &static.Global{
CheckNewVersion: true,
},
EntryPoints: make(static.EntryPoints),
Providers: &static.Providers{
- ProvidersThrottleDuration: parse.Duration(2 * time.Second),
+ ProvidersThrottleDuration: types.Duration(2 * time.Second),
},
ServersTransport: &static.ServersTransport{
MaxIdleConnsPerHost: 200,
@@ -45,162 +32,3 @@ func NewTraefikConfiguration() *TraefikConfiguration {
ConfigFile: "",
}
}
-
-// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
-func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
- // default File
- var defaultFile file.Provider
- defaultFile.Watch = true
- defaultFile.Filename = "" // needs equivalent to viper.ConfigFileUsed()
-
- // default Ping
- var defaultPing = ping.Handler{
- EntryPoint: "traefik",
- }
-
- // default TraefikLog
- defaultTraefikLog := types.TraefikLog{
- Format: "common",
- FilePath: "",
- }
-
- // default AccessLog
- defaultAccessLog := types.AccessLog{
- Format: accesslog.CommonFormat,
- FilePath: "",
- Filters: &types.AccessLogFilters{},
- Fields: &types.AccessLogFields{
- DefaultMode: types.AccessLogKeep,
- Headers: &types.FieldHeaders{
- DefaultMode: types.AccessLogKeep,
- },
- },
- }
-
- // default Tracing
- defaultTracing := static.Tracing{
- Backend: "jaeger",
- ServiceName: "traefik",
- SpanNameLimit: 0,
- Jaeger: &jaeger.Config{
- SamplingServerURL: "http://localhost:5778/sampling",
- SamplingType: "const",
- SamplingParam: 1.0,
- LocalAgentHostPort: "127.0.0.1:6831",
- Propagation: "jaeger",
- Gen128Bit: false,
- TraceContextHeaderName: jaegercli.TraceContextHeaderName,
- },
- Zipkin: &zipkin.Config{
- HTTPEndpoint: "http://localhost:9411/api/v1/spans",
- SameSpan: false,
- ID128Bit: true,
- Debug: false,
- SampleRate: 1.0,
- },
- DataDog: &datadog.Config{
- LocalAgentHostPort: "localhost:8126",
- GlobalTag: "",
- Debug: false,
- PrioritySampling: false,
- },
- Instana: &instana.Config{
- LocalAgentHost: "localhost",
- LocalAgentPort: 42699,
- LogLevel: "info",
- },
- }
-
- // default ApiConfiguration
- defaultAPI := static.API{
- EntryPoint: "traefik",
- Dashboard: true,
- }
- defaultAPI.Statistics = &types.Statistics{
- RecentErrors: 10,
- }
-
- // default Metrics
- defaultMetrics := types.Metrics{
- Prometheus: &types.Prometheus{
- Buckets: types.Buckets{0.1, 0.3, 1.2, 5},
- EntryPoint: static.DefaultInternalEntryPointName,
- },
- Datadog: &types.Datadog{
- Address: "localhost:8125",
- PushInterval: "10s",
- },
- StatsD: &types.Statsd{
- Address: "localhost:8125",
- PushInterval: "10s",
- },
- InfluxDB: &types.InfluxDB{
- Address: "localhost:8089",
- Protocol: "udp",
- PushInterval: "10s",
- },
- }
-
- defaultResolver := types.HostResolverConfig{
- CnameFlattening: false,
- ResolvConfig: "/etc/resolv.conf",
- ResolvDepth: 5,
- }
-
- var defaultDocker docker.Provider
- defaultDocker.Watch = true
- defaultDocker.ExposedByDefault = true
- defaultDocker.Endpoint = "unix:///var/run/docker.sock"
- defaultDocker.SwarmMode = false
- defaultDocker.SwarmModeRefreshSeconds = 15
- defaultDocker.DefaultRule = docker.DefaultTemplateRule
-
- // default Rest
- var defaultRest rest.Provider
- defaultRest.EntryPoint = static.DefaultInternalEntryPointName
-
- // default Marathon
- var defaultMarathon marathon.Provider
- defaultMarathon.Watch = true
- defaultMarathon.Endpoint = "http://127.0.0.1:8080"
- defaultMarathon.ExposedByDefault = true
- defaultMarathon.DialerTimeout = parse.Duration(5 * time.Second)
- defaultMarathon.ResponseHeaderTimeout = parse.Duration(60 * time.Second)
- defaultMarathon.TLSHandshakeTimeout = parse.Duration(5 * time.Second)
- defaultMarathon.KeepAlive = parse.Duration(10 * time.Second)
- defaultMarathon.DefaultRule = marathon.DefaultTemplateRule
-
- // default Kubernetes
- var defaultKubernetes ingress.Provider
-
- // default Rancher
- var defaultRancher rancher.Provider
- defaultRancher.Watch = true
- defaultRancher.ExposedByDefault = true
- defaultRancher.EnableServiceHealthFilter = true
- defaultRancher.RefreshSeconds = 15
- defaultRancher.DefaultRule = rancher.DefaultTemplateRule
- defaultRancher.Prefix = "latest"
-
- defaultProviders := static.Providers{
- File: &defaultFile,
- Docker: &defaultDocker,
- Rest: &defaultRest,
- Marathon: &defaultMarathon,
- Kubernetes: &defaultKubernetes,
- Rancher: &defaultRancher,
- }
-
- return &TraefikConfiguration{
- Configuration: static.Configuration{
- Providers: &defaultProviders,
- Log: &defaultTraefikLog,
- AccessLog: &defaultAccessLog,
- Ping: &defaultPing,
- API: &defaultAPI,
- Metrics: &defaultMetrics,
- Tracing: &defaultTracing,
- HostResolver: &defaultResolver,
- },
- }
-}
diff --git a/cmd/healthcheck/healthcheck.go b/cmd/healthcheck/healthcheck.go
index bfa0a6ca6..8784f5d60 100644
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -7,34 +7,34 @@ import (
"os"
"time"
- "github.com/containous/flaeg"
- "github.com/containous/traefik/cmd"
+ "github.com/containous/traefik/pkg/cli"
"github.com/containous/traefik/pkg/config/static"
)
-// NewCmd builds a new HealthCheck command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
- return &flaeg.Command{
- Name: "healthcheck",
- Description: `Calls traefik /ping to check health (web provider must be enabled)`,
- Config: traefikConfiguration,
- DefaultPointersConfig: traefikPointersConfiguration,
- Run: runCmd(traefikConfiguration),
- Metadata: map[string]string{
- "parseAllSources": "true",
- },
+// NewCmd builds a new HealthCheck command.
+func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLoader) *cli.Command {
+ return &cli.Command{
+ Name: "healthcheck",
+ Description: `Calls Traefik /ping to check the health of Traefik (the API must be enabled).`,
+ Configuration: traefikConfiguration,
+ Run: runCmd(traefikConfiguration),
+ Resources: loaders,
}
}
-func runCmd(traefikConfiguration *cmd.TraefikConfiguration) func() error {
- return func() error {
- traefikConfiguration.Configuration.SetEffectiveConfiguration(traefikConfiguration.ConfigFile)
+func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
+ return func(_ []string) error {
+ traefikConfiguration.SetEffectiveConfiguration("")
- resp, errPing := Do(traefikConfiguration.Configuration)
+ resp, errPing := Do(*traefikConfiguration)
+ if resp != nil {
+ resp.Body.Close()
+ }
if errPing != nil {
fmt.Printf("Error calling healthcheck: %s\n", errPing)
os.Exit(1)
}
+
if resp.StatusCode != http.StatusOK {
fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
os.Exit(1)
@@ -50,6 +50,7 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
if staticConfiguration.Ping == nil {
return nil, errors.New("please enable `ping` to use health check")
}
+
pingEntryPoint, ok := staticConfiguration.EntryPoints[staticConfiguration.Ping.EntryPoint]
if !ok {
return nil, errors.New("missing `ping` entrypoint")
diff --git a/cmd/storeconfig/storeconfig.go b/cmd/storeconfig/storeconfig.go
deleted file mode 100644
index fd7070f9f..000000000
--- a/cmd/storeconfig/storeconfig.go
+++ /dev/null
@@ -1,150 +0,0 @@
-package storeconfig
-
-import (
- "encoding/json"
- "fmt"
- stdlog "log"
-
- "github.com/containous/flaeg"
- "github.com/containous/staert"
- "github.com/containous/traefik/cmd"
-)
-
-// NewCmd builds a new StoreConfig command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
- return &flaeg.Command{
- Name: "storeconfig",
- Description: `Stores the static traefik configuration into a Key-value stores. Traefik will not start.`,
- Config: traefikConfiguration,
- DefaultPointersConfig: traefikPointersConfiguration,
- HideHelp: true, // TODO storeconfig
- Metadata: map[string]string{
- "parseAllSources": "true",
- },
- }
-}
-
-// Run store config in KV
-func Run(kv *staert.KvSource, traefikConfiguration *cmd.TraefikConfiguration) func() error {
- return func() error {
- if kv == nil {
- return fmt.Errorf("error using command storeconfig, no Key-value store defined")
- }
-
- fileConfig := traefikConfiguration.Providers.File
- if fileConfig != nil {
- traefikConfiguration.Providers.File = nil
- if len(fileConfig.Filename) == 0 && len(fileConfig.Directory) == 0 {
- fileConfig.Filename = traefikConfiguration.ConfigFile
- }
- }
-
- jsonConf, err := json.Marshal(traefikConfiguration.Configuration)
- if err != nil {
- return err
- }
- stdlog.Printf("Storing configuration: %s\n", jsonConf)
-
- err = kv.StoreConfig(traefikConfiguration.Configuration)
- if err != nil {
- return err
- }
-
- if fileConfig != nil {
- jsonConf, err = json.Marshal(fileConfig)
- if err != nil {
- return err
- }
-
- stdlog.Printf("Storing file configuration: %s\n", jsonConf)
- config, err := fileConfig.BuildConfiguration()
- if err != nil {
- return err
- }
-
- stdlog.Print("Writing config to KV")
- err = kv.StoreConfig(config)
- if err != nil {
- return err
- }
- }
-
- // if traefikConfiguration.Configuration.ACME != nil {
- // account := &acme.Account{}
- //
- // accountInitialized, err := keyExists(kv, traefikConfiguration.Configuration.ACME.Storage)
- // if err != nil && err != store.ErrKeyNotFound {
- // return err
- // }
- //
- // // Check to see if ACME account object is already in kv store
- // if traefikConfiguration.Configuration.ACME.OverrideCertificates || !accountInitialized {
- //
- // // Stores the ACME Account into the KV Store
- // // Certificates in KV Stores will be overridden
- // meta := cluster.NewMetadata(account)
- // err = meta.Marshall()
- // if err != nil {
- // return err
- // }
- //
- // source := staert.KvSource{
- // Store: kv,
- // Prefix: traefikConfiguration.Configuration.ACME.Storage,
- // }
- //
- // err = source.StoreConfig(meta)
- // if err != nil {
- // return err
- // }
- // }
- // }
- return nil
- }
-}
-
-// func keyExists(source *staert.KvSource, key string) (bool, error) {
-// list, err := source.List(key, nil)
-// if err != nil {
-// return false, err
-// }
-//
-// return len(list) > 0, nil
-// }
-
-// CreateKvSource creates KvSource
-// TLS support is enable for Consul and Etcd backends
-func CreateKvSource(traefikConfiguration *cmd.TraefikConfiguration) (*staert.KvSource, error) {
- var kv *staert.KvSource
- // var kvStore store.Store
- var err error
-
- // TODO kv store
- // switch {
- // case traefikConfiguration.Providers.Consul != nil:
- // kvStore, err = traefikConfiguration.Providers.Consul.CreateStore()
- // kv = &staert.KvSource{
- // Store: kvStore,
- // Prefix: traefikConfiguration.Providers.Consul.Prefix,
- // }
- // case traefikConfiguration.Providers.Etcd != nil:
- // kvStore, err = traefikConfiguration.Providers.Etcd.CreateStore()
- // kv = &staert.KvSource{
- // Store: kvStore,
- // Prefix: traefikConfiguration.Providers.Etcd.Prefix,
- // }
- // case traefikConfiguration.Providers.Zookeeper != nil:
- // kvStore, err = traefikConfiguration.Providers.Zookeeper.CreateStore()
- // kv = &staert.KvSource{
- // Store: kvStore,
- // Prefix: traefikConfiguration.Providers.Zookeeper.Prefix,
- // }
- // case traefikConfiguration.Providers.Boltdb != nil:
- // kvStore, err = traefikConfiguration.Providers.Boltdb.CreateStore()
- // kv = &staert.KvSource{
- // Store: kvStore,
- // Prefix: traefikConfiguration.Providers.Boltdb.Prefix,
- // }
- // }
- return kv, err
-}
diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go
index 550af28ab..d69677b05 100644
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -4,38 +4,30 @@ import (
"context"
"encoding/json"
"fmt"
- fmtlog "log"
+ stdlog "log"
"net/http"
"os"
"path/filepath"
- "reflect"
"strings"
"time"
- "github.com/cenkalti/backoff"
- "github.com/containous/flaeg"
- "github.com/containous/staert"
"github.com/containous/traefik/autogen/genstatic"
"github.com/containous/traefik/cmd"
"github.com/containous/traefik/cmd/healthcheck"
- "github.com/containous/traefik/cmd/storeconfig"
cmdVersion "github.com/containous/traefik/cmd/version"
+ "github.com/containous/traefik/pkg/cli"
"github.com/containous/traefik/pkg/collector"
"github.com/containous/traefik/pkg/config"
"github.com/containous/traefik/pkg/config/static"
- "github.com/containous/traefik/pkg/job"
"github.com/containous/traefik/pkg/log"
"github.com/containous/traefik/pkg/provider/aggregator"
- "github.com/containous/traefik/pkg/provider/kubernetes/k8s"
"github.com/containous/traefik/pkg/safe"
"github.com/containous/traefik/pkg/server"
"github.com/containous/traefik/pkg/server/router"
traefiktls "github.com/containous/traefik/pkg/tls"
- "github.com/containous/traefik/pkg/types"
"github.com/containous/traefik/pkg/version"
"github.com/coreos/go-systemd/daemon"
assetfs "github.com/elazarl/go-bindata-assetfs"
- "github.com/ogier/pflag"
"github.com/sirupsen/logrus"
"github.com/vulcand/oxy/roundrobin"
)
@@ -48,141 +40,38 @@ func init() {
os.Setenv("GODEBUG", goDebug+"tls13=1")
}
-// sliceOfStrings is the parser for []string
-type sliceOfStrings []string
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (s *sliceOfStrings) String() string {
- return strings.Join(*s, ",")
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (s *sliceOfStrings) Set(value string) error {
- parts := strings.Split(value, ",")
- if len(parts) == 0 {
- return fmt.Errorf("bad []string format: %s", value)
- }
- for _, entrypoint := range parts {
- *s = append(*s, entrypoint)
- }
- return nil
-}
-
-// Get return the []string
-func (s *sliceOfStrings) Get() interface{} {
- return *s
-}
-
-// SetValue sets the []string with val
-func (s *sliceOfStrings) SetValue(val interface{}) {
- *s = val.([]string)
-}
-
-// Type is type of the struct
-func (s *sliceOfStrings) Type() string {
- return "sliceOfStrings"
-}
-
func main() {
// traefik config inits
- traefikConfiguration := cmd.NewTraefikConfiguration()
- traefikPointersConfiguration := cmd.NewTraefikDefaultPointersConfiguration()
+ tConfig := cmd.NewTraefikConfiguration()
- // traefik Command init
- traefikCmd := &flaeg.Command{
+ loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.EnvLoader{}, &cli.FlagLoader{}}
+
+ cmdTraefik := &cli.Command{
Name: "traefik",
Description: `Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
Complete documentation is available at https://traefik.io`,
- Config: traefikConfiguration,
- DefaultPointersConfig: traefikPointersConfiguration,
- Run: func() error {
- return runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
+ Configuration: tConfig,
+ Resources: loaders,
+ Run: func(_ []string) error {
+ return runCmd(&tConfig.Configuration, cli.GetConfigFile(loaders))
},
}
- // storeconfig Command init
- storeConfigCmd := storeconfig.NewCmd(traefikConfiguration, traefikPointersConfiguration)
-
- // init flaeg source
- f := flaeg.New(traefikCmd, os.Args[1:])
- // add custom parsers
- f.AddParser(reflect.TypeOf(static.EntryPoints{}), &static.EntryPoints{})
-
- f.AddParser(reflect.SliceOf(reflect.TypeOf("")), &sliceOfStrings{})
- f.AddParser(reflect.TypeOf(traefiktls.FilesOrContents{}), &traefiktls.FilesOrContents{})
- f.AddParser(reflect.TypeOf(types.Constraints{}), &types.Constraints{})
- f.AddParser(reflect.TypeOf(k8s.Namespaces{}), &k8s.Namespaces{})
- f.AddParser(reflect.TypeOf([]types.Domain{}), &types.Domains{})
- f.AddParser(reflect.TypeOf(types.DNSResolvers{}), &types.DNSResolvers{})
- f.AddParser(reflect.TypeOf(types.Buckets{}), &types.Buckets{})
-
- f.AddParser(reflect.TypeOf(types.StatusCodes{}), &types.StatusCodes{})
- f.AddParser(reflect.TypeOf(types.FieldNames{}), &types.FieldNames{})
- f.AddParser(reflect.TypeOf(types.FieldHeaderNames{}), &types.FieldHeaderNames{})
-
- // add commands
- f.AddCommand(cmdVersion.NewCmd())
- f.AddCommand(storeConfigCmd)
- f.AddCommand(healthcheck.NewCmd(traefikConfiguration, traefikPointersConfiguration))
-
- usedCmd, err := f.GetCommand()
+ err := cmdTraefik.AddCommand(healthcheck.NewCmd(&tConfig.Configuration, loaders))
if err != nil {
- fmtlog.Println(err)
+ stdlog.Println(err)
os.Exit(1)
}
- if _, err := f.Parse(usedCmd); err != nil {
- if err == pflag.ErrHelp {
- os.Exit(0)
- }
- fmtlog.Printf("Error parsing command: %s\n", err)
- os.Exit(1)
- }
-
- // staert init
- s := staert.NewStaert(traefikCmd)
- // init TOML source
- toml := staert.NewTomlSource("traefik", []string{traefikConfiguration.ConfigFile, "/etc/traefik/", "$HOME/.traefik/", "."})
-
- // add sources to staert
- s.AddSource(toml)
- s.AddSource(f)
- if _, err := s.LoadConfig(); err != nil {
- fmtlog.Printf("Error reading TOML config file %s : %s\n", toml.ConfigFileUsed(), err)
- os.Exit(1)
- }
-
- traefikConfiguration.ConfigFile = toml.ConfigFileUsed()
-
- kv, err := storeconfig.CreateKvSource(traefikConfiguration)
+ err = cmdTraefik.AddCommand(cmdVersion.NewCmd())
if err != nil {
- fmtlog.Printf("Error creating kv store: %s\n", err)
+ stdlog.Println(err)
os.Exit(1)
}
- storeConfigCmd.Run = storeconfig.Run(kv, traefikConfiguration)
- // if a KV Store is enable and no sub-command called in args
- if kv != nil && usedCmd == traefikCmd {
- s.AddSource(kv)
- operation := func() error {
- _, err := s.LoadConfig()
- return err
- }
- notify := func(err error, time time.Duration) {
- log.WithoutContext().Errorf("Load config error: %+v, retrying in %s", err, time)
- }
- err := backoff.RetryNotify(safe.OperationWithRecover(operation), job.NewBackOff(backoff.NewExponentialBackOff()), notify)
- if err != nil {
- fmtlog.Printf("Error loading configuration: %s\n", err)
- os.Exit(1)
- }
- }
-
- if err := s.Run(); err != nil {
- fmtlog.Printf("Error running traefik: %s\n", err)
+ err = cli.Execute(cmdTraefik)
+ if err != nil {
+ stdlog.Println(err)
os.Exit(1)
}
@@ -192,10 +81,6 @@ Complete documentation is available at https://traefik.io`,
func runCmd(staticConfiguration *static.Configuration, configFile string) error {
configureLogging(staticConfiguration)
- if len(configFile) > 0 {
- log.WithoutContext().Infof("Using TOML configuration file %s", configFile)
- }
-
http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
if err := roundrobin.SetDefaultWeight(0); err != nil {
@@ -289,7 +174,11 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
safe.Go(func() {
tick := time.Tick(t)
for range tick {
- _, errHealthCheck := healthcheck.Do(*staticConfiguration)
+ resp, errHealthCheck := healthcheck.Do(*staticConfiguration)
+ if resp != nil {
+ resp.Body.Close()
+ }
+
if staticConfiguration.Ping == nil || errHealthCheck == nil {
if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
log.WithoutContext().Error("Fail to tick watchdog")
@@ -309,22 +198,17 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
func configureLogging(staticConfiguration *static.Configuration) {
// configure default log flags
- fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)
+ stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
// configure log level
// an explicitly defined log level always has precedence. if none is
// given and debug mode is disabled, the default is ERROR, and DEBUG
// otherwise.
- var levelStr string
- if staticConfiguration.Log != nil {
+ levelStr := "error"
+ if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
levelStr = strings.ToLower(staticConfiguration.Log.Level)
}
- if levelStr == "" {
- levelStr = "error"
- if staticConfiguration.Global.Debug {
- levelStr = "debug"
- }
- }
+
level, err := logrus.ParseLevel(levelStr)
if err != nil {
log.WithoutContext().Errorf("Error getting level: %v", err)
@@ -377,7 +261,7 @@ func checkNewVersion() {
func stats(staticConfiguration *static.Configuration) {
if staticConfiguration.Global.SendAnonymousUsage == nil {
log.WithoutContext().Error(`
-You haven't specify the sendAnonymousUsage option, it will be enable by default.
+You haven't specified the sendAnonymousUsage option, it will be enabled by default.
`)
sendAnonymousUsage := true
staticConfiguration.Global.SendAnonymousUsage = &sendAnonymousUsage
diff --git a/cmd/version/version.go b/cmd/version/version.go
index 4d0e9c779..cf1f9bcf7 100644
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -7,7 +7,7 @@ import (
"runtime"
"text/template"
- "github.com/containous/flaeg"
+ "github.com/containous/traefik/pkg/cli"
"github.com/containous/traefik/pkg/version"
)
@@ -18,19 +18,17 @@ Built: {{.BuildTime}}
OS/Arch: {{.Os}}/{{.Arch}}`
// NewCmd builds a new Version command
-func NewCmd() *flaeg.Command {
- return &flaeg.Command{
- Name: "version",
- Description: `Print version`,
- Config: struct{}{},
- DefaultPointersConfig: struct{}{},
- Run: func() error {
+func NewCmd() *cli.Command {
+ return &cli.Command{
+ Name: "version",
+ Description: `Shows the current Traefik version.`,
+ Configuration: nil,
+ Run: func(_ []string) error {
if err := GetPrint(os.Stdout); err != nil {
return err
}
fmt.Print("\n")
return nil
-
},
}
}
diff --git a/docs/content/contributing/building-testing.md b/docs/content/contributing/building-testing.md
index c7b709901..99976f964 100644
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -43,7 +43,7 @@ $ ls dist/
traefik*
```
-The following targets can be executed outside Docker (we don't recommend that):
+The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
- `test-unit`
- `test-integration`
@@ -61,24 +61,24 @@ PRE_TARGET= make test-unit
You need `go` v1.12+.
!!! tip "Source Directory"
-
+
It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
!!! note "Environment"
Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
-
+
```bash
export GOPATH=~/go
export PATH=$PATH:$GOPATH/bin
```
-
+
For convenience, add `GOPATH` and `PATH` to your `.bashrc` or `.bash_profile`
-
+
Verify your environment is setup properly by running `$ go env`.
Depending on your OS and environment, you should see an output similar to:
-
+
```bash
GOARCH="amd64"
GOBIN=""
diff --git a/docs/content/contributing/documentation.md b/docs/content/contributing/documentation.md
index c64ecf6d6..eb5f176f1 100644
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -10,7 +10,7 @@ Let's see how.
### General
-This [documentation](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/).
+This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
### Method 1: `Docker` and `make`
diff --git a/docs/content/contributing/maintainers.md b/docs/content/contributing/maintainers.md
index eb62eabdd..9dc5d8ebf 100644
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -16,6 +16,7 @@
* Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
* Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
* Damien Duportal [@dduportal](https://github.com/dduportal)
+* Mathieu Lonjaret [@mpl](https://github.com/mpl)
## Contributions Daily Meeting
diff --git a/docs/content/contributing/submitting-pull-requests.md b/docs/content/contributing/submitting-pull-requests.md
index c171d9fea..bb3183f40 100644
--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -42,4 +42,4 @@ Help the readers focus on what matters, and help them understand the structure o
!!! tip "10 Tips for Better Pull Requests"
- We enjoyed this article, maybe you will too! [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
+ We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
diff --git a/docs/content/contributing/thank-you.md b/docs/content/contributing/thank-you.md
index ac4a077e3..ab4dd7153 100644
--- a/docs/content/contributing/thank-you.md
+++ b/docs/content/contributing/thank-you.md
@@ -8,3 +8,20 @@ and wouldn't have become what it is today without the help of our [many contribu
not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
So once again, thank you for your invaluable help on making Traefik such a good product.
+
+!!! question "Where to Go Next?"
+ If you want to:
+
+ - Propose and idea, request a feature a report a bug,
+ read the page [Submitting Issues](./submitting-issues.md).
+ - Discover how to make an efficient contribution,
+ read the page [Submitting Pull Requests](./submitting-pull-requests.md).
+ - Learn how to build and test Traefik,
+ the page [Building and Testing](./building-testing.md) is for you.
+ - Contribute to the documentation,
+ read the related page [Documentation](./documentation.md).
+ - Understand how do we learn about Traefik usage,
+ read the [Data Collection](./data-collection.md) page.
+ - Spread the love about Traefik, please check the [Advocating](./advocating.md) page.
+ - Learn about who are the maintainers and how they work on the project,
+ read the [Maintainers](./maintainers.md) page.
diff --git a/docs/content/getting-started/concepts.md b/docs/content/getting-started/concepts.md
index a7481a790..12d860720 100644
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -14,7 +14,7 @@ it knows all the logic and every rule that determine which services handle which
Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves.
-Deploying your services, you attach information that tell Traefik the characteristics of the requests the services can handle.
+Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.
![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
diff --git a/docs/content/getting-started/configuration-overview.md b/docs/content/getting-started/configuration-overview.md
index 3624961b9..3620123b4 100644
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -33,31 +33,23 @@ Traefik gets its _dynamic configuration_ from [providers](../providers/overview.
## The Static Configuration
-There are three different locations where you can define static configuration options in Traefik:
+There are three different, mutually exclusive, ways to define static configuration options in Traefik:
-- In a key-value store
-- In the command-line arguments
- In a configuration file
+- As environment variables
+- In the command-line arguments
-If you don't provide a value for a given option, default values apply.
+These ways are evaluated in the order listed above.
-!!! important "Precedence Order"
-
- The following precedence order applies for configuration options: key-value > command-line > configuration file.
+If no value was provided for a given option, a default value applies.
+Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
- It means that arguments override configuration file, and key-value store overrides arguments.
-
-!!! important "Default Values"
-
- Some root options are enablers: they set default values for all their children.
-
- For example, the `--providers.docker` option enables the docker provider.
- Once positioned, this option sets (and resets) all the default values under the root `providers.docker`.
- If you define child options using a lesser precedence configuration source, they will be overwritten by the default values.
+For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
+Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
### Configuration File
-At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$HOME/.traefik/`, and `.` (_the working directory_).
+At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$XDG_CONFIG_HOME/`, `$HOME/.config/`, and `.` (_the working directory_).
You can override this using the `configFile` argument.
@@ -67,16 +59,16 @@ traefik --configFile=foo/bar/myconfigfile.toml
### Arguments
-Use `traefik --help` to get the list of the available arguments.
+To get the list of all available arguments:
-### Key-Value Stores
+```bash
+traefik --help
-Traefik supports several Key-value stores:
+# or
-- [Consul](https://consul.io)
-- [etcd](https://coreos.com/etcd/)
-- [ZooKeeper](https://zookeeper.apache.org/)
-- [boltdb](https://github.com/boltdb/bolt)
+docker run traefik[:version] --help
+# ex: docker run traefik:2.0 --help
+```
## Available Configuration Options
diff --git a/docs/content/getting-started/quick-start.md b/docs/content/getting-started/quick-start.md
index dd18019b4..c6e976184 100644
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -81,7 +81,7 @@ docker-compose up -d --scale whoami=2
Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new instance of the container.
-Finally, see that Traefik load-balances between the two instances of your services by running twice the following command:
+Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
```shell
curl -H Host:whoami.docker.localhost http://127.0.0.1
diff --git a/docs/content/https-tls/overview.md b/docs/content/https-tls/overview.md
deleted file mode 100644
index 3b1a20733..000000000
--- a/docs/content/https-tls/overview.md
+++ /dev/null
@@ -1,145 +0,0 @@
-# HTTPS & TLS
-
-Traefik supports HTTPS & TLS, and is able to accept new certificates / updates over time (without being restarted).
-TLS is enabled at the [router](../routing/routers/index.md) level, but some options are configured in dedicated sections (`tlsOptions` & `tlsStores`) described in this section.
-
-## Configuration Example
-
-??? example "Configuring a Default Certificate"
-
- ```toml
- [tlsStores]
- [tlsStores.default]
- [tlsStores.default.defaultCertificate]
- certFile = "path/to/cert.crt"
- keyFile = "path/to/cert.key"
- ```
-
-??? example "Configuring a Minimum TLS Version"
-
- ```toml
- [tlsOptions]
- [tlsOptions.default]
- minVersion = "VersionTLS12"
- ```
-
-??? example "Defining Certificates"
-
- ```toml
- [[tls]]
- [tls.certificate]
- certFile = "/path/to/domain.cert"
- keyFile = "/path/to/domain.key"
-
- [[tls]]
- [tls.certificate]
- certFile = "/path/to/other-domain.cert"
- keyFile = "/path/to/other-domain.key"
- ```
-
-!!! important "File Provider Only"
-
- In the above example, we've used the [file provider](../providers/file.md) to handle the TLS configuration (tlsStores, tlsOptions, and TLS certificates).
- In its current alpha version, it is the only available method to configure these elements.
- Of course, these options are hot reloaded and can be updated at runtime (they belong to the [dynamic configuration](../getting-started/configuration-overview.md)).
-
-## Configuration Options
-
-### Dynamic Certificates
-
-To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section.
-
-!!! example "Defining Certificates"
-
- ```toml
- [[tls]]
- stores = ["default"]
- [tls.certificate]
- certFile = "/path/to/domain.cert"
- keyFile = "/path/to/domain.key"
-
- [[tls]]
- stores = ["default"]
- [tls.certificate]
- certFile = "/path/to/other-domain.cert"
- keyFile = "/path/to/other-domain.key"
- ```
-
- ??? note "Stores"
-
- During the alpha version, the stores option will be ignored and be automatically set to ["default"].
-
-### Mutual Authentication
-
-Traefik supports both optional and non optional (defaut value) mutual authentication.
-
-- When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`.
-- When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA.
-
-!!! example "Non Optional Mutual Authentication"
-
- In the following example, both `snitest.com` and `snitest.org` will require client certificates.
-
- ```toml
- [tlsOptions]
- [tlsOptions.default]
- [tlsOptions.default.ClientCA]
- files = ["tests/clientca1.crt", "tests/clientca2.crt"]
- optional = false
- ```
-
- ??? note "ClientCA.files"
-
- You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format).
-
- `ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.)
-
-### Minimum TLS Version
-
-!!! example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)"
-
- ```toml
- [tlsOptions]
- [tlsOptions.default]
- minVersion = "VersionTLS12"
- cipherSuites = [
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
- ]
- ```
-
-### Strict SNI Checking
-
-With strict SNI checking, Traefik won't allow connections without a matching certificate.
-
-!!! example "Strict SNI"
-
- ```toml
- [tlsOptions]
- [tlsOptions.default]
- sniStrict = true
- ```
-
-### Default Certificate
-
-Traefik can use a default certificate for connections without a SNI, or without a matching domain.
-
-If no default certificate is provided, Traefik generates and uses a self-signed certificate.
-
-!!! example "Setting a Default Certificate"
-
- ```toml
- [tlsStores]
- [tlsStores.default]
- [tlsStores.default.defaultCertificate]
- certFile = "path/to/cert.crt"
- keyFile = "path/to/cert.key"
- ```
-
- ??? note "Only One Default Certificate"
-
- There can only be one `defaultCertificate` per tlsOptions.
-
- ??? note "Default TLS Store"
-
- During the alpha version, there is only one globally available TLS Store (`default`).
diff --git a/docs/content/https-tls/acme.md b/docs/content/https/acme.md
similarity index 74%
rename from docs/content/https-tls/acme.md
rename to docs/content/https/acme.md
index 7b8617c2d..ef75ecf5d 100644
--- a/docs/content/https-tls/acme.md
+++ b/docs/content/https/acme.md
@@ -1,4 +1,4 @@
-# ACME
+# Let's Encrypt
Automatic HTTPS
{: .subtitle }
@@ -54,9 +54,18 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
There are many available options for ACME. For a quick glance at what's possible, browse the configuration reference:
```toml
- --8<-- "content/https-tls/ref-acme.toml"
+ --8<-- "content/https/ref-acme.toml"
```
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of ACME certificates it generates.
+
+If there are less than 30 days remaining before the certificate expires, Traefik will attempt to rewnew it automatically.
+
+!!! note
+ Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
+
## The Different ACME Challenges
### `tlsChallenge`
@@ -119,63 +128,63 @@ Do not hesitate to complete it.
Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
-| Provider Name | Provider Code | Environment Variables | Wildcard & Root Domain Support |
-|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | Not tested yet |
-| [Alibaba Cloud](https://www.vultr.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | Not tested yet |
-| [Auroradns](https://www.pcextreme.com/aurora/dns) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | Not tested yet |
-| [Azure](https://azure.microsoft.com/services/dns/) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | Not tested yet |
-| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | Not tested yet |
-| [ClouDNS](https://www.cloudns.net/) | `cloudns` | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | YES |
-| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | YES |
-| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | Not tested yet |
-| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | YES |
-| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | YES |
-| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | YES |
-| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | Not tested yet |
-| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | Not tested yet |
-| [Domain Offensive (do.de)](https://www.do.de/) | `dode` | `DODE_TOKEN` | YES |
-| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | YES |
-| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | YES |
-| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | Not tested yet |
-| External Program | `exec` | `EXEC_PATH` | YES |
-| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | YES |
-| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | YES |
-| [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | Not tested yet |
-| [Gandi v5](http://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_API_KEY` | YES |
-| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | Not tested yet |
-| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | Not tested yet |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`] | YES |
-| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | YES |
-| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1] | YES |
-| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | Not tested yet |
-| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | YES |
-| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | Not tested yet |
-| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | Not tested yet |
-| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | Not tested yet |
-| manual | - | none, but you need to run Traefik interactively [^4], turn on `acmeLogging` to see instructions and press Enter. | YES |
-| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | YES |
-| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | YES |
-| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | Not tested yet |
-| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | Not tested yet |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | Not tested yet |
-| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | Not tested yet |
-| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | Not tested yet |
-| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | YES |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate` | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME` | YES |
-| [Oracle Cloud](https://cloud.oracle.com/home) | `oraclecloud` | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | YES |
-| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | Not tested yet |
-| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | Not tested yet |
-| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | Not tested yet |
-| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | YES |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | Not tested yet |
-| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | YES |
-| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | Not tested yet |
-| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | YES |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | Not tested yet |
-| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | YES |
-| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | Not tested yet |
-| [Zone.ee](https://www.zone.ee) | `zoneee` | `ZONEEE_API_USER`, `ZONEEE_API_KEY` | YES |
+| Provider Name | Provider Code | Environment Variables | |
+|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns) |
+| [Alibaba Cloud](https://www.vultr.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/alidns) |
+| [Auroradns](https://www.pcextreme.com/aurora/dns) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns) |
+| [Azure](https://azure.microsoft.com/services/dns/) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | [Additional configuration](https://go-acme.github.io/lego/dns/azure) |
+| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat) |
+| [ClouDNS](https://www.cloudns.net/) | `cloudns` | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns) |
+| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare) |
+| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns) |
+| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/conoha) |
+| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
+| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple) |
+| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy) |
+| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod) |
+| [Domain Offensive (do.de)](https://www.do.de/) | `dode` | `DODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/dode) |
+| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost) |
+| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns) |
+| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/dyn) |
+| External Program | `exec` | `EXEC_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/exec) |
+| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale) |
+| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns) |
+| [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/gandi) |
+| [Gandi v5](http://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5) |
+| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | [Additional configuration](https://go-acme.github.io/lego/dns/glesys) |
+| [GoDaddy](https://godaddy.com/) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy) |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`] | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud) |
+| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde) |
+| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1] | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq) |
+| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | [Additional configuration](https://go-acme.github.io/lego/dns/iij) |
+| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/inwx) |
+| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail) |
+| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/linode) |
+| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4) |
+| manual | - | none, but you need to run Traefik interactively [^4], turn on `acmeLogging` to see instructions and press Enter. | |
+| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp) |
+| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap) |
+| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom) |
+| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/netcup) |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud) |
+| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ns1) |
+| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/otc) |
+| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ovh) |
+| [Openstack Designate](https://docs.openstack.org/designate) | `designate` | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/designate) |
+| [Oracle Cloud](https://cloud.oracle.com/home) | `oraclecloud` | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud) |
+| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/pdns) |
+| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace) |
+| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136) |
+| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | [Additional configuration](https://go-acme.github.io/lego/dns/route53) |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud) |
+| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/selectel) |
+| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath) |
+| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/transip) |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns) |
+| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/vscale) |
+| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/vultr) |
+| [Zone.ee](https://www.zone.ee) | `zoneee` | `ZONEEE_API_USER`, `ZONEEE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee) |
[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
diff --git a/docs/content/https/overview.md b/docs/content/https/overview.md
new file mode 100644
index 000000000..d03950388
--- /dev/null
+++ b/docs/content/https/overview.md
@@ -0,0 +1,16 @@
+# HTTPS & TLS
+
+Overview
+{: .subtitle }
+
+Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration:
+routers, and the TLS connection (and its underlying certificates).
+
+When a router has to handle HTTPS traffic,
+it should be specified with a `tls` field of the router definition.
+See the TLS section of the [routers documentation](../routing/routers/index.md#tls).
+
+The next sections of this documentation explain how to configure the TLS connection itself.
+That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
+either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
+And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
diff --git a/docs/content/https-tls/ref-acme.toml b/docs/content/https/ref-acme.toml
similarity index 100%
rename from docs/content/https-tls/ref-acme.toml
rename to docs/content/https/ref-acme.toml
diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md
new file mode 100644
index 000000000..c67da5d95
--- /dev/null
+++ b/docs/content/https/tls.md
@@ -0,0 +1,140 @@
+# TLS
+
+Transport Layer Security
+{: .subtitle }
+
+## Certificates Definition
+
+### Automated
+
+See the [Let's Encrypt](./acme.md) page.
+
+### User defined
+
+To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls]]` section:
+
+```toml
+[[tls]]
+ [tls.certificate]
+ certFile = "/path/to/domain.cert"
+ keyFile = "/path/to/domain.key"
+
+[[tls]]
+ [tls.certificate]
+ certFile = "/path/to/other-domain.cert"
+ keyFile = "/path/to/other-domain.key"
+```
+
+!!! important "File Provider Only"
+
+ In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
+ In its current alpha version, it is the only available method to configure the certificates (as well as the options and the stores).
+
+## Certificates Stores
+
+In Traefik, certificates are grouped together in certificates stores, which are defined as such:
+
+```toml
+[tlsStores]
+ [tlsStores.default]
+```
+
+!!! important "Alpha restriction"
+
+ During the alpha version, any store definition other than the default one (named `default`) will be ignored,
+ and there is thefore only one globally available TLS store.
+
+In the `[[tls]]` section, a list of stores can then be specified to indicate where the certificates should be stored:
+
+```toml
+[[tls]]
+ stores = ["default"]
+ [tls.certificate]
+ certFile = "/path/to/domain.cert"
+ keyFile = "/path/to/domain.key"
+
+[[tls]]
+ # Note that since no store is defined,
+ # the certificate below will be stored in the `default` store.
+ [tls.certificate]
+ certFile = "/path/to/other-domain.cert"
+ keyFile = "/path/to/other-domain.key"
+```
+
+!!! important "Alpha restriction"
+
+ During the alpha version, the `stores` list will actually be ignored and automatically set to `["default"]`.
+
+### Default Certificate
+
+Traefik can use a default certificate for connections without a SNI, or without a matching domain.
+This default certificate should be defined in a TLS store:
+
+```toml
+[tlsStores]
+ [tlsStores.default]
+ [tlsStores.default.defaultCertificate]
+ certFile = "path/to/cert.crt"
+ keyFile = "path/to/cert.key"
+```
+
+If no default certificate is provided, Traefik generates and uses a self-signed certificate.
+
+## TLS Options
+
+The TLS options allow one to configure some parameters of the TLS connection.
+
+### Minimum TLS Version
+
+```toml
+[tlsOptions]
+
+ [tlsOptions.default]
+ minVersion = "VersionTLS12"
+
+ [tlsOptions.mintls13]
+ minVersion = "VersionTLS13"
+```
+
+### Mutual Authentication
+
+Traefik supports both optional and strict (which is the default) mutual authentication, though the `ClientCA.files` section.
+If present, connections from clients without a certificate will be rejected.
+
+For clients with a certificate, the `optional` option governs the behaviour as follows:
+
+- When `optional = false`, Traefik accepts connections only from clients presenting a certificate signed by a CA listed in `ClientCA.files`.
+- When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.
+
+```toml
+[tlsOptions]
+ [tlsOptions.default]
+ [tlsOptions.default.ClientCA]
+ # in PEM format. each file can contain multiple CAs.
+ files = ["tests/clientca1.crt", "tests/clientca2.crt"]
+ optional = false
+```
+
+### Cipher Suites
+
+See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
+
+```toml
+[tlsOptions]
+ [tlsOptions.default]
+ cipherSuites = [
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384"
+ ]
+```
+
+### Strict SNI Checking
+
+With strict SNI checking, Traefik won't allow connections from clients connections
+that do not specify a server_name extension.
+
+```toml
+[tlsOptions]
+ [tlsOptions.default]
+ sniStrict = true
+```
diff --git a/docs/content/middlewares/basicauth.md b/docs/content/middlewares/basicauth.md
index 49ec0f323..45455f654 100644
--- a/docs/content/middlewares/basicauth.md
+++ b/docs/content/middlewares/basicauth.md
@@ -11,8 +11,12 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
```yaml tab="Docker"
# Declaring the user list
+#
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
labels:
- - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+ - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="Kubernetes"
@@ -76,7 +80,7 @@ The file content is a list of `name:encoded-password`.
??? example "A file containing test/test and test2/test2"
- ```
+ ```txt
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
```
@@ -109,6 +113,12 @@ spec:
headerField: X-WebAuth-User
```
+```json tab="Marathon"
+"labels": {
+ "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
+}
+```
+
```toml tab="File"
[http.middlewares.my-auth.basicauth]
# ...
diff --git a/docs/content/middlewares/chain.md b/docs/content/middlewares/chain.md
index 1178976ef..79d5444a4 100644
--- a/docs/content/middlewares/chain.md
+++ b/docs/content/middlewares/chain.md
@@ -19,7 +19,7 @@ labels:
- "traefik.http.routers.router1.rule=Host(`mydomain`)"
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
+- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
```
@@ -69,7 +69,7 @@ kind: Middleware
metadata:
name: https-only
spec:
- schemeRedirect:
+ redirectScheme:
scheme: https
---
apiVersion: traefik.containo.us/v1alpha1
@@ -90,7 +90,7 @@ spec:
"traefik.http.routers.router1.rule": "Host(`mydomain`)",
"traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
- "traefik.http.middlewares.https-only.schemeredirect.scheme": "https",
+ "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
"traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
"http.services.service1.loadbalancer.server.port": "80"
}
@@ -103,7 +103,7 @@ labels:
- "traefik.http.routers.router1.rule=Host(`mydomain`)"
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
+- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
```
@@ -123,7 +123,7 @@ labels:
[http.middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
- [http.middlewares.https-only.SchemeRedirect]
+ [http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
@@ -134,5 +134,4 @@ labels:
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
- Weight = 1
```
diff --git a/docs/content/middlewares/compress.md b/docs/content/middlewares/compress.md
index 755b50160..eb1531a44 100644
--- a/docs/content/middlewares/compress.md
+++ b/docs/content/middlewares/compress.md
@@ -15,6 +15,16 @@ labels:
- "traefik.http.middlewares.test-compress.compress=true"
```
+```yaml tab="Kubernetes"
+# Enable gzip compression
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+ name: test-compress
+spec:
+ compress: {}
+```
+
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-compress.compress": "true"
diff --git a/docs/content/middlewares/digestauth.md b/docs/content/middlewares/digestauth.md
index 36fe53ecc..70b6a97a6 100644
--- a/docs/content/middlewares/digestauth.md
+++ b/docs/content/middlewares/digestauth.md
@@ -69,7 +69,7 @@ The file content is a list of `name:realm:encoded-password`.
??? example "A file containing test/test and test2/test2"
- ```
+ ```txt
test:traefik:a2688e031edb4be6a3797f3882655c05
test2:traefik:518845800f9e2bfb1f1f740ec24f074e
```
@@ -109,6 +109,12 @@ labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
```
+```json tab="Marathon"
+"labels": {
+ "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
+}
+```
+
```toml tab="File"
[http.middlewares.my-auth.digestAuth]
# ...
diff --git a/docs/content/middlewares/headers.md b/docs/content/middlewares/headers.md
index f44d66a3c..23528b3e2 100644
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@@ -26,9 +26,9 @@ metadata:
name: testHeader
spec:
headers:
- CustomRequestHeaders:
+ customRequestHeaders:
X-Script-Name: "test"
- CustomResponseHeaders:
+ customResponseHeaders:
X-Custom-Response-Header: "True"
```
@@ -59,7 +59,7 @@ labels:
`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
and the `X-Custom-Response-Header` header removed from the response.
-Please note that is not possible to remove headers through the use of Docker labels for now.
+Please note that is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
@@ -68,17 +68,22 @@ metadata:
name: testHeader
spec:
headers:
- CustomRequestHeaders:
+ customRequestHeaders:
X-Script-Name: "test" # Adds
X-Custom-Request-Header: "" # Removes
- CustomResponseHeaders:
+ customResponseHeaders:
X-Custom-Response-Header: "" # Removes
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- - "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
+```
+
+```json tab="Marathon"
+"labels": {
+ "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
+}
```
```toml tab="File"
@@ -109,8 +114,8 @@ metadata:
name: testHeader
spec:
headers:
- FrameDeny: "true"
- SSLRedirect: "true"
+ frameDeny: "true"
+ sslRedirect: "true"
```
```yaml tab="Rancher"
@@ -119,6 +124,13 @@ labels:
- "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
```
+```json tab="Marathon"
+"labels": {
+ "traefik.http.middlewares.testHeader.Headers.FrameDeny": "true",
+ "traefik.http.middlewares.testHeader.Headers.SSLRedirect": "true"
+}
+```
+
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
@@ -163,6 +175,15 @@ labels:
- "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
```
+```json tab="Marathon"
+"labels": {
+ "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods": "GET,OPTIONS,PUT",
+ "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin": "origin-list-or-null",
+ "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge": "100",
+ "traefik.http.middlewares.testHeader.Headers.AddVaryHeader": "true"
+}
+```
+
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
diff --git a/docs/content/middlewares/ipwhitelist.md b/docs/content/middlewares/ipwhitelist.md
index bf616450b..1d038eaa8 100644
--- a/docs/content/middlewares/ipwhitelist.md
+++ b/docs/content/middlewares/ipwhitelist.md
@@ -101,6 +101,13 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
+ ```json tab="Marathon"
+ "labels": {
+ "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange": "127.0.0.1/32, 192.168.1.7",
+ "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+ }
+ ```
+
```toml tab="File"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
@@ -158,6 +165,12 @@ labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```
+```json tab="Marathon"
+"labels": {
+ "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
```toml tab="File"
# Exclude from `X-Forwarded-For`
[http.middlewares]
diff --git a/docs/content/middlewares/maxconnection.md b/docs/content/middlewares/maxconnection.md
index f39da10a0..6c13363d0 100644
--- a/docs/content/middlewares/maxconnection.md
+++ b/docs/content/middlewares/maxconnection.md
@@ -19,10 +19,10 @@ labels:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
- name: addprefix
+ name: test-maxconn
spec:
- addPrefix:
- prefix: /bar
+ maxConn:
+ amount: 10
```
```json tab="Marathon"
diff --git a/docs/content/middlewares/overview.md b/docs/content/middlewares/overview.md
index bcd19d087..991cccb61 100644
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -50,7 +50,7 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
- name: ingressroute.crd
+ name: ingressroute
spec:
# more fields...
routes:
@@ -92,7 +92,6 @@ labels:
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
- Weight = 1
```
## Advanced Configuration
@@ -122,8 +121,8 @@ If you use multiple `providers` and wish to reference a middleware declared in a
image: your-docker-image
labels:
- # Attach file.add-foo-prefix middleware (declared in file)
- - "traefik.http.routers.middlewares=file.add-foo-prefix"
+ # Attach file@add-foo-prefix middleware (declared in file)
+ - "traefik.http.routers.my-container.middlewares=file@add-foo-prefix"
```
## Available Middlewares
@@ -135,14 +134,14 @@ If you use multiple `providers` and wish to reference a middleware declared in a
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
-| [Compress](circuitbreaker.md) | Compress the response | Content Modifier |
+| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [MaxConnection](maxconnection.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
-| [PassTLSClientCert](passtlsclientcert.md) | TODO | Security |
+| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
diff --git a/docs/content/middlewares/passtlsclientcert.md b/docs/content/middlewares/passtlsclientcert.md
index 9fc629903..ed4c073a9 100644
--- a/docs/content/middlewares/passtlsclientcert.md
+++ b/docs/content/middlewares/passtlsclientcert.md
@@ -121,7 +121,29 @@ labels:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
-
+
+ ```json tab="Marathon"
+ "labels": {
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
+ "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
+ }
+ ```
+
```toml tab="File"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
diff --git a/docs/content/middlewares/ratelimit.md b/docs/content/middlewares/ratelimit.md
index 6c8a747a9..29add7f32 100644
--- a/docs/content/middlewares/ratelimit.md
+++ b/docs/content/middlewares/ratelimit.md
@@ -32,15 +32,16 @@ metadata:
name: test-ratelimit
spec:
rateLimit:
- extractorfunc = "client.ip"
- rate0:
- period = "10s"
- average = 100
- burst = 200
- rate1:
- period = "3s"
- average = 5
- burst = 10
+ extractorFunc: client.ip
+ rateset:
+ rate0:
+ period: 10s
+ average: 100
+ burst: 200
+ rate1:
+ period: 3s
+ average: 5
+ burst: 10
```
```json tab="Marathon"
@@ -76,12 +77,12 @@ labels:
[http.middlewares.test-ratelimit.ratelimit]
extractorfunc = "client.ip"
- [http.middlewares.test-ratelimit.ratelimit.rate0]
+ [http.middlewares.test-ratelimit.ratelimit.rateset.rate0]
period = "10s"
average = 100
burst = 200
- [http.middlewares.test-ratelimit.ratelimit.rate1]
+ [http.middlewares.test-ratelimit.ratelimit.rateset.rate1]
period = "3s"
average = 5
burst = 10
diff --git a/docs/content/middlewares/stripprefix.md b/docs/content/middlewares/stripprefix.md
index 3f9f25c16..806687367 100644
--- a/docs/content/middlewares/stripprefix.md
+++ b/docs/content/middlewares/stripprefix.md
@@ -10,39 +10,41 @@ Remove the specified prefixes from the URL path.
## Configuration Examples
```yaml tab="Docker"
-# Replace the path by /foo
+# Strip prefix /foobar and /fiibar
labels:
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=foobar, fiibar"
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
```
```yaml tab="Kubernetes"
-# Replace the path by /foo
+# Strip prefix /foobar and /fiibar
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-stripprefix
spec:
- StripPrefix:
- prefixes: "foobar, fiibar"
+ stripPrefix:
+ prefixes:
+ - /foobar
+ - /fiibar
```
```json tab="Marathon"
"labels": {
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "foobar, fiibar"
+ "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar, /fiibar"
}
```
```yaml tab="Rancher"
-# Replace the path by /foo
+# Strip prefix /foobar and /fiibar
labels:
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=foobar, fiibar"
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
```
```toml tab="File"
-# Replace the path by /foo
+# Strip prefix /foobar and /fiibar
[http.middlewares]
[http.middlewares.test-stripprefix.StripPrefix]
- prefixes: "foobar, fiibar"
+ prefixes = ["/foobar", "/fiibar"]
```
## Configuration Options
diff --git a/docs/content/middlewares/stripprefixregex.md b/docs/content/middlewares/stripprefixregex.md
index 8691cb24c..484168e7f 100644
--- a/docs/content/middlewares/stripprefixregex.md
+++ b/docs/content/middlewares/stripprefixregex.md
@@ -1,4 +1,4 @@
-# StripPrefix
+# StripPrefixRegex
Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
{: .subtitle }
@@ -22,7 +22,7 @@ kind: Middleware
metadata:
name: test-stripprefixregex
spec:
- StripPrefixRegex:
+ stripPrefixRegex:
regex: "^/foo/(.*)"
```
diff --git a/docs/content/observability/access-logs.md b/docs/content/observability/access-logs.md
index 478b3f35b..bb174567e 100644
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -110,38 +110,38 @@ Each field can be set to:
??? list "Available Fields"
- ```ini
- StartUTC
- StartLocal
- Duration
- FrontendName
- BackendName
- BackendURL
- BackendAddr
- ClientAddr
- ClientHost
- ClientPort
- ClientUsername
- RequestAddr
- RequestHost
- RequestPort
- RequestMethod
- RequestPath
- RequestProtocol
- RequestLine
- RequestContentSize
- OriginDuration
- OriginContentSize
- OriginStatus
- OriginStatusLine
- DownstreamStatus
- DownstreamStatusLine
- DownstreamContentSize
- RequestCount
- GzipRatio
- Overhead
- RetryAttempts
- ```
+ | Field | Description |
+ |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | `StartUTC` | The time at which request processing started. |
+ | `StartLocal` | The local time at which request processing started. |
+ | `Duration` | The total time taken by processing the response, including the origin server's time but not the log writing time. |
+ | `FrontendName` | The name of the Traefik frontend. |
+ | `BackendName` | The name of the Traefik backend. |
+ | `BackendURL` | The URL of the Traefik backend. |
+ | `BackendAddr` | The IP:port of the Traefik backend (extracted from `BackendURL`) |
+ | `ClientAddr` | The remote address in its original form (usually IP:port). |
+ | `ClientHost` | The remote IP address from which the client request was received. |
+ | `ClientPort` | The remote TCP port from which the client request was received. |
+ | `ClientUsername` | The username provided in the URL, if present. |
+ | `RequestAddr` | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API. |
+ | `RequestHost` | The HTTP Host server name (not including port). |
+ | `RequestPort` | The TCP port from the HTTP Host. |
+ | `RequestMethod` | The HTTP method. |
+ | `RequestPath` | The HTTP request URI, not including the scheme, host or port. |
+ | `RequestProtocol` | The version of HTTP requested. |
+ | `RequestLine` | `RequestMethod` + `RequestPath` + `RequestProtocol` |
+ | `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
+ | `OriginDuration` | The time taken by the origin server ('upstream') to return its response. |
+ | `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
+ | `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent. |
+ | `OriginStatusLine` | `OriginStatus` + Status code explanation |
+ | `DownstreamStatus` | The HTTP status code returned to the client. |
+ | `DownstreamStatusLine` | `DownstreamStatus` + Status code explanation |
+ | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
+ | `RequestCount` | The number of requests received since the Traefik instance started. |
+ | `GzipRatio` | The response body compression ratio achieved. |
+ | `Overhead` | The processing time overhead caused by Traefik. |
+ | `RetryAttempts` | The amount of attempts the request was retried. |
## Log Rotation
diff --git a/docs/content/operations/api.md b/docs/content/operations/api.md
new file mode 100644
index 000000000..0bbf0a185
--- /dev/null
+++ b/docs/content/operations/api.md
@@ -0,0 +1,168 @@
+# API
+
+Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.
+
+As with all features of Traefik, this handler can be enabled with the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+
+## Security
+
+Enabling the API in production is not recommended, because it will expose all configuration elements,
+including sensitive data.
+
+In production, it should be at least secured by authentication and authorizations.
+
+A good sane default (non exhaustive) set of recommendations
+would be to apply the following protection mechanisms:
+
+* At the application level:
+ securing with middlewares such as [basic authentication](../middlewares/basicauth.md) or [white listing](../middlewares/ipwhitelist.md).
+
+* At the transport level:
+ NOT publicly exposing the API's port,
+ keeping it restricted to internal networks
+ (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+
+## Configuration
+
+To enable the API handler:
+
+```toml tab="File"
+[api]
+```
+
+```bash tab="CLI"
+--api
+```
+
+### `dashboard`
+
+_Optional, Default=true_
+
+Enable the dashboard. More about the dashboard features [here](./dashboard.md).
+
+```toml tab="File"
+[api]
+ dashboard = true
+```
+
+```bash tab="CLI"
+--api.dashboard
+```
+
+### `entrypoint`
+
+_Optional, Default="traefik"_
+
+The entry point that the API handler will be bound to.
+The default ("traefik") is an internal entry point (which is always defined).
+
+```toml tab="File"
+[api]
+ entrypoint = "web"
+```
+
+```bash tab="CLI"
+--api.entrypoint="web"
+```
+
+### `middlewares`
+
+_Optional, Default=empty_
+
+The list of [middlewares](../middlewares/overview.md) applied to the API handler.
+
+```toml tab="File"
+[api]
+ middlewares = ["api-auth", "api-prefix"]
+```
+
+```bash tab="CLI"
+--api.middlewares="api-auth,api-prefix"
+```
+
+### `debug`
+
+_Optional, Default=false_
+
+Enable additional endpoints for debugging and profiling, served under `/debug/`.
+
+```toml tab="File"
+[api]
+ debug = true
+```
+
+```bash tab="CLI"
+--api.debug=true
+```
+
+## Endpoints
+
+All the following endpoints must be accessed with a `GET` HTTP request.
+
+| Path | Description |
+|--------------------------------|-------------------------------------------------------------------------------------------|
+| `/api/http/routers` | Lists all the HTTP routers information. |
+| `/api/http/routers/{name}` | Returns the information of the HTTP router specified by `name`. |
+| `/api/http/services` | Lists all the HTTP services information. |
+| `/api/http/services/{name}` | Returns the information of the HTTP service specified by `name`. |
+| `/api/http/middlewares` | Lists all the HTTP middlewares information. |
+| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`. |
+| `/api/tcp/routers` | Lists all the TCP routers information. |
+| `/api/tcp/routers/{name}` | Returns the information of the TCP router specified by `name`. |
+| `/api/tcp/services` | Lists all the TCP services information. |
+| `/api/tcp/services/{name}` | Returns the information of the TCP service specified by `name`. |
+| `/api/version` | Returns information about Traefik version. |
+| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
+| `/debug/pprof/` | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
+| `/debug/pprof/cmdline` | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
+| `/debug/pprof/profile` | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
+| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
+| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
+
+## Common Configuration Use Cases
+
+### Address / Port
+
+You can define a custom address/port like this:
+
+```toml
+[entryPoints]
+ [entryPoints.web]
+ address = ":80"
+
+ [entryPoints.foo]
+ address = ":8082"
+
+ [entryPoints.bar]
+ address = ":8083"
+
+[ping]
+entryPoint = "foo"
+
+[api]
+entryPoint = "bar"
+```
+
+In the above example, you would access a service at /foo, an api endpoint, or the health-check as follows:
+
+* Service: `http://hostname:80/foo`
+* API: `http://hostname:8083/api/http/routers`
+* Ping URL: `http://hostname:8082/ping`
+
+### Authentication
+
+To restrict access to the API handler, one can add authentication with the [basic auth middleware](../middlewares/basicauth.md).
+
+```toml
+[api]
+ middlewares=["api-auth"]
+```
+
+```toml
+[http.middlewares]
+ [http.middlewares.api-auth.basicauth]
+ users = [
+ "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+ "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+ ]
+```
diff --git a/docs/content/operations/cli.md b/docs/content/operations/cli.md
index 843ee0177..bef4a8510 100644
--- a/docs/content/operations/cli.md
+++ b/docs/content/operations/cli.md
@@ -6,48 +6,56 @@ The Traefik Command Line
## General
```bash
-traefik [command] [--flag=flag_argument]
+traefik [command] [flags] [arguments]
```
-Available commands:
+Use `traefik [command] --help` for help on any command.
-- `version` : Print version
-- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the `Store Traefik configuration`(TODO: add doc and link) section to get documentation on it.
-- `healthcheck`: Calls Traefik `/ping` to check health.
+Commands:
-Each command can have additional flags.
+- `healthcheck` Calls Traefik `/ping` to check the health of Traefik (the API must be enabled).
+- `version` Shows the current Traefik version.
-All those flags will be displayed with:
+Flag's usage:
```bash
-traefik [command] --help
+# set flag_argument to flag(s)
+traefik [--flag=flag_argument] [-f [flag_argument]]
+
+# set true/false to boolean flag(s)
+traefik [--flag[=true|false| ]] [-f [true|false| ]]
```
-Each command is described at the beginning of the help section:
+### healthcheck
-```bash
-traefik --help
+Calls Traefik `/ping` to check the health of Traefik.
+Its exit status is `0` if Traefik is healthy and `1` otherwise.
-# or
-
-docker run traefik[:version] --help
-# ex: docker run traefik:1.5 --help
-```
-
-### Command: healthcheck
-
-Checks the health of Traefik.
-Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy.
-
-This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
+This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction
+or any other health check orchestration mechanism.
!!! note
The [`ping` endpoint](../ping/) must be enabled to allow the `healthcheck` command to call `/ping`.
-```bash
-traefik healthcheck
-```
+Usage:
```bash
+traefik healthcheck [command] [flags] [arguments]
+```
+
+Example:
+
+```bash
+$ traefik healthcheck
OK: http://:8082/ping
```
+
+### version
+
+Shows the current Traefik version.
+
+Usage:
+
+```bash
+traefik version [command] [flags] [arguments]
+```
diff --git a/docs/content/operations/debug-mode.md b/docs/content/operations/debug-mode.md
deleted file mode 100644
index fcda56c5e..000000000
--- a/docs/content/operations/debug-mode.md
+++ /dev/null
@@ -1,15 +0,0 @@
-# The Debug Mode
-
-Getting More Information (Not For Production)
-{: .subtitle }
-
-The debug mode will make Traefik be _extremely_ verbose in its logs, and is NOT intended for production purposes.
-
-## Configuration Example
-
-??? example "TOML -- Enabling the Debug Mode"
-
- ```toml
- [Global]
- debug = true
- ```
\ No newline at end of file
diff --git a/docs/content/providers/crd_ingress_route.yml b/docs/content/providers/crd_ingress_route.yml
index 0bcfd3568..b40f22527 100644
--- a/docs/content/providers/crd_ingress_route.yml
+++ b/docs/content/providers/crd_ingress_route.yml
@@ -11,3 +11,18 @@ spec:
plural: ingressroutes
singular: ingressroute
scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: ingressroutetcps.traefik.containo.us
+
+spec:
+ group: traefik.containo.us
+ version: v1alpha1
+ names:
+ kind: IngressRouteTCP
+ plural: ingressroutetcps
+ singular: ingressroutetcp
+ scope: Namespaced
diff --git a/docs/content/providers/docker.md b/docs/content/providers/docker.md
index 856ffe8e3..b6b09e3d9 100644
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -45,7 +45,7 @@ Attach labels to your containers and let Traefik do the rest!
swarmMode = true
```
- Attaching labels to containers (in your docker compose file)
+ Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
```yaml
version: "3"
@@ -57,13 +57,13 @@ Attach labels to your containers and let Traefik do the rest!
```
!!! important "Labels in Docker Swarm Mode"
- If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
+ While in Swarm Mode, Traefik uses labels found on services, not on individual containers. Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
## Provider Configuration Options
!!! tip "Browse the Reference"
- If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/docker.md) configuration references.
+ If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/docker.md) configuration references.
### `endpoint`
@@ -86,7 +86,7 @@ Traefik requires access to the docker socket to get its dynamic configuration.
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
- - [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
+ - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
??? tip "Security Compensation"
@@ -147,12 +147,14 @@ _Optional, Default=false_
Traefik routes requests to the IP/Port of the matching container.
When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
-When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding on port `traefik.port`.
-If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label.
+When used in conjunction with the `traefik.http.services.XXX.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
+Traefik tries to find a binding on port `traefik.http.services.XXX.loadbalancer.server.port`.
+If it can't find such a binding, Traefik falls back on the internal network IP of the container,
+but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is set in the label.
??? example "Examples of `usebindportip` in different situations."
- | traefik.port label | Container's binding | Routes to |
+ | port label | Container's binding | Routes to |
|--------------------|----------------------------------------------------|----------------|
| - | - | IntIP:IntPort |
| - | ExtPort:IntPort | IntIP:IntPort |
@@ -182,15 +184,24 @@ This option can be overridden on a container basis with the `traefik.docker.netw
### `defaultRule`
-_Optional, Default=Host(`{{ normalize .Name }}`)_
+_Optional, Default=```Host(`{{ normalize .Name }}`)```_
For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The container service name can be accessed as the Name identifier,
+The container service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.
-``defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"``
+```toml tab="File"
+[docker]
+defaultRule = ""
+# ...
+```
+
+```txt tab="CLI"
+--providers.docker
+--providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+```
### `swarmMode`
@@ -221,7 +232,7 @@ Every [Router](../routing/routers/index.md) parameter can be updated this way.
### Services
-To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the load balancer method, you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.method=drr`.
+To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the passhostheader behavior, you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`.
Every [Service](../routing/services/index.md) parameter can be updated this way.
@@ -236,14 +247,16 @@ You can declare pieces of middleware using labels starting with `traefik.http.mi
my-container:
# ...
labels:
- - traefik.http.middlewares.my-redirect.schemeredirect.scheme=https
- - traefik.http.routers.middlewares=my-redirect
+ - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
+ - traefik.http.routers.my-container.middlewares=my-redirect
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
+
### TCP
You can declare TCP Routers and/or Services using labels.
@@ -262,7 +275,7 @@ You can declare TCP Routers and/or Services using labels.
!!! warning "TCP and HTTP"
- If you declare a TCP Router/Service, it will prevent Traefik from automatically create an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
+ If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
### Specific Options
diff --git a/docs/content/providers/file.md b/docs/content/providers/file.md
index 31a55d83d..3740f5ba6 100644
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -7,8 +7,8 @@ The file provider lets you define the [dynamic configuration](./overview.md) in
You can write these configuration elements:
* At the end of the main Traefik configuration file (by default: `traefik.toml`).
-* In [a dedicated file](#filename-optional)
-* In [several dedicated files](#directory-optional)
+* In [a dedicated file](#filename)
+* In [several dedicated files](#directory)
!!! note
The file provider is the default format used throughout the documentation to show samples of the configuration for many features.
@@ -44,21 +44,20 @@ You can write these configuration elements:
[http.services]
[http.services.service-foo]
[http.services.service-foo.LoadBalancer]
- method = "wrr"
[[http.services.service-foo.LoadBalancer.Servers]]
url = "http://foo/"
- weight = 30
[[http.services.service-foo.LoadBalancer.Servers]]
url = "http://bar/"
- weight = 70
```
## Provider Configuration Options
!!! tip "Browse the Reference"
- If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/file.md) configuration references.
+ If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/file.md) configuration references.
-### `filename` (_Optional_)
+### `filename`
+
+_Optional_
Defines the path of the configuration file.
@@ -68,7 +67,9 @@ Defines the path of the configuration file.
filename = "rules.toml"
```
-### `directory` (_Optional_)
+### `directory`
+
+_Optional_
Defines the directory that contains the configuration files.
@@ -78,7 +79,9 @@ Defines the directory that contains the configuration files.
directory = "/path/to/config"
```
-### `watch` (_Optional_)
+### `watch`
+
+_Optional_
Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.
It works with both the `filename` and the `directory` options.
@@ -145,5 +148,4 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
[TLSConfig.TLS{{ $e }}]
# ...
{{ end }}
-
```
diff --git a/docs/content/providers/kubernetes-crd.md b/docs/content/providers/kubernetes-crd.md
index b1e9400b1..19745dfc1 100644
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -145,13 +145,13 @@ If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/d
--8<-- "content/providers/crd_ingress_route.yml"
```
-That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as:
+That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
- name: ingressroutefoo.crd
+ name: ingressroutefoo
spec:
entryPoints:
@@ -170,6 +170,22 @@ spec:
services:
- name: whoami
port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+ name: ingressroutetcpfoo.crd
+
+spec:
+ entryPoints:
+ - footcp
+ routes:
+ # Match is the rule corresponding to an underlying router.
+ - match: HostSNI(`*`)
+ services:
+ - name: whoamitcp
+ port: 8080
```
### Middleware
@@ -197,7 +213,7 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
- name: ingressroutebar.crd
+ name: ingressroutebar
spec:
entryPoints:
@@ -212,6 +228,8 @@ spec:
- name: stripprefix
```
+More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
+
### TLS
To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
@@ -230,7 +248,7 @@ data:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
- name: ingressroutetls.crd
+ name: ingressroutetls
spec:
entryPoints:
diff --git a/docs/content/providers/marathon.md b/docs/content/providers/marathon.md
index ba68f37fb..f8c0ff45a 100644
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -49,7 +49,7 @@ See also [Marathon user guide](../user-guides/marathon.md).
## Provider Configuration Options
!!! tip "Browse the Reference"
- If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/marathon.md) configuration references.
+ If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/marathon.md) configuration references.
### `basic`
@@ -262,14 +262,14 @@ Every [Router](../routing/routers/index.md) parameter can be updated this way.
To update the configuration of the Service automatically attached to the container,
add labels starting with `traefik.HTTP.Services.{service-name-of-your-choice}.`, followed by the option you want to change.
-For example, to change the load balancer method, you'd add the label `traefik.HTTP.Services.Servicename.LoadBalancer.Method=drr`.
+For example, to change the passhostheader behavior, you'd add the label `traefik.HTTP.Services.Servicename.LoadBalancer.PassHostHeader=false`.
Every [Service](../routing/services/index.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.HTTP.Middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
-For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.HTTP.Middlewares.my-redirect.RedirectScheme.Scheme: https`.
+For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.HTTP.Middlewares.my-redirect.RedirectScheme.Scheme: https`.
??? example "Declaring and Referencing a Middleware"
@@ -277,8 +277,8 @@ For example, to declare a middleware [`schemeredirect`](../middlewares/redirects
{
...
"labels": {
- "traefik.http.middlewares.my-redirect.schemeredirect.scheme": "https",
- "traefik.http.routers.middlewares": "my-redirect"
+ "traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https",
+ "traefik.http.routers.my-container.middlewares": "my-redirect"
}
}
```
@@ -287,6 +287,8 @@ For example, to declare a middleware [`schemeredirect`](../middlewares/redirects
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
+
### TCP
You can declare TCP Routers and/or Services using labels.
diff --git a/docs/content/providers/overview.md b/docs/content/providers/overview.md
index 65fefb78f..fc2c2ab7a 100644
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -43,7 +43,7 @@ Below is the list of the currently supported providers in Traefik.
## Constraints Configuration
-If you want to limit the scope of Traefik service discovery, you can set constraints.
+If you want to limit the scope of Traefik's service discovery, you can set constraints.
Doing so, Traefik will create routes for containers that match these constraints only.
??? example "Containers with the api Tag"
diff --git a/docs/content/providers/rancher.md b/docs/content/providers/rancher.md
index bce2b329f..edc9de5e6 100644
--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -1,15 +1,20 @@
# Traefik & Rancher
-A Story of Labels, Services & Container
+A Story of Labels, Services & Containers
{: .subtitle }
![Rancher](../assets/img/providers/rancher.png)
Attach labels to your services and let Traefik do the rest!
+!!! important
+ This provider is specific to Rancher 1.x.
+ Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+ As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes-crd.md) directly.
+
## Configuration Examples
-??? example "Configuring Docker & Deploying / Exposing Services"
+??? example "Configuring Rancher & Deploying / Exposing Services"
Enabling the rancher provider
@@ -34,22 +39,16 @@ Attach labels to your services and let Traefik do the rest!
# Rancher Provider
################################################################
- # Enable Docker Provider.
+ # Enable Rancher Provider.
[rancher]
- # The default host rule for all services.
- #
- # Optionnal
- #
- DefaultRule = "unix:///var/run/docker.sock"
-
# Expose Rancher services by default in Traefik.
#
# Optional
#
- ExposedByDefault = "docker.localhost"
+ ExposedByDefault = "true"
- # Enable watch docker changes.
+ # Enable watch Rancher changes.
#
# Optional
#
@@ -89,10 +88,27 @@ If set to false, services that don't have a `traefik.enable=true` label will be
### `DefaultRule`
-_Optional_
+_Optional, Default=```Host(`{{ normalize .Name }}`)```_
The default host rule for all services.
+For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
+augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed as the `Name` identifier,
+and the template has access to all the labels defined on this container.
+
+```toml tab="File"
+[rancher]
+defaultRule = ""
+# ...
+```
+
+```txt tab="CLI"
+--providers.rancher
+--providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+```
+
This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
### `EnableServiceHealthFilter`
@@ -136,29 +152,31 @@ Every [Router](../routing/routers/index.md) parameter can be updated this way.
### Services
To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`,
-followed by the option you want to change. For example, to change the load balancer method,
-you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.method=drr`.
+followed by the option you want to change. For example, to change the passhostheader behavior,
+you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`.
Every [Service](../routing/services/index.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
-For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.schemeredirect.scheme: https`.
+For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
??? example "Declaring and Referencing a Middleware"
```yaml
# ...
labels:
- - traefik.http.middlewares.my-redirect.schemeredirect.scheme=https
- - traefik.http.routers.middlewares=my-redirect
+ - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
+ - traefik.http.routers.my-container.middlewares=my-redirect
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
+
### Specific Options
#### `traefik.enable`
diff --git a/docs/content/reference/dynamic-configuration/file.toml b/docs/content/reference/dynamic-configuration/file.toml
index a88ada9ee..3f5b20af5 100644
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -9,6 +9,7 @@
Rule = "foobar"
priority = 42
[HTTP.Routers.Router0.tls]
+ options = "TLS0"
[HTTP.Middlewares]
@@ -172,19 +173,16 @@
[HTTP.Services]
[HTTP.Services.Service0]
[HTTP.Services.Service0.LoadBalancer]
- Method = "foobar"
PassHostHeader = true
[[HTTP.Services.Service0.LoadBalancer.Servers]]
URL = "foobar"
- Weight = 42
[HTTP.Services.Service0.LoadBalancer.Stickiness]
CookieName = "foobar"
[[HTTP.Services.Service0.LoadBalancer.Servers]]
URL = "foobar"
- Weight = 42
[HTTP.Services.Service0.LoadBalancer.HealthCheck]
Scheme = "foobar"
@@ -209,20 +207,18 @@
Rule = "foobar"
[TCP.Routers.TCPRouter0.tls]
passthrough = true
+ options = "TLS1"
[TCP.Services]
[TCP.Services.TCPService0]
[TCP.Services.TCPService0.LoadBalancer]
- Method = "foobar"
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
- Weight = 42
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
- Weight = 42
[[TLS]]
Stores = ["foobar", "foobar"]
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
index 05e4c391c..2850d669c 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
@@ -26,11 +26,26 @@ spec:
singular: middleware
scope: Namespaced
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: ingressroutetcps.traefik.containo.us
+
+spec:
+ group: traefik.containo.us
+ version: v1alpha1
+ names:
+ kind: IngressRouteTCP
+ plural: ingressroutetcps
+ singular: ingressroutetcp
+ scope: Namespaced
+
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
- name: ingressroute.crd
+ name: ingressroute
spec:
entryPoints:
- web
@@ -67,5 +82,25 @@ spec:
middlewares:
- name: stripprefix
- name: addprefix
+ # use an empty tls object for TLS with Let's Encrypt
tls:
- secretName: supersecret
\ No newline at end of file
+ secretName: supersecret
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+ name: ingressroutetcp.crd
+ namespace: default
+
+spec:
+ entryPoints:
+ - footcp
+ routes:
+ - match: HostSNI(`bar.com`)
+ services:
+ - name: whoamitcp
+ port: 8080
+ tls:
+ secretName: foosecret
+ passthrough: false
diff --git a/docs/content/reference/dynamic-configuration/labels.yml b/docs/content/reference/dynamic-configuration/labels.yml
index 30c1c3a18..c7ba2981e 100644
--- a/docs/content/reference/dynamic-configuration/labels.yml
+++ b/docs/content/reference/dynamic-configuration/labels.yml
@@ -109,11 +109,13 @@ labels:
- "traefik.HTTP.Routers.Router0.Rule=foobar"
- "traefik.HTTP.Routers.Router0.Service=foobar"
- "traefik.HTTP.Routers.Router0.TLS=true"
+- "traefik.HTTP.Routers.Router0.TLS.options=foo"
- "traefik.HTTP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Priority=42"
- "traefik.HTTP.Routers.Router1.Rule=foobar"
- "traefik.HTTP.Routers.Router1.Service=foobar"
+- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Interval=foobar"
@@ -121,12 +123,10 @@ labels:
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Timeout=foobar"
-- "traefik.HTTP.Services.Service0.LoadBalancer.Method=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service0.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Scheme=foobar"
-- "traefik.HTTP.Services.Service0.LoadBalancer.server.Weight=42"
- "traefik.HTTP.Services.Service0.LoadBalancer.Stickiness.CookieName=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name1=foobar"
@@ -136,24 +136,19 @@ labels:
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Timeout=foobar"
-- "traefik.HTTP.Services.Service1.LoadBalancer.Method=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service1.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme=foobar"
-- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0=foobar"
-- "traefik.HTTP.Services.Service1.LoadBalancer.server.Weight=42"
- "traefik.TCP.Routers.Router0.Rule=foobar"
- "traefik.TCP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router0.Service=foobar"
- "traefik.TCP.Routers.Router0.TLS.Passthrough=false"
+- "traefik.TCP.Routers.Router0.TLS.options=bar"
- "traefik.TCP.Routers.Router1.Rule=foobar"
- "traefik.TCP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router1.Service=foobar"
- "traefik.TCP.Routers.Router1.TLS.Passthrough=false"
-- "traefik.TCP.Services.Service0.LoadBalancer.Method=foobar"
+- "traefik.TCP.Routers.Router1.TLS.options=foobar"
- "traefik.TCP.Services.Service0.LoadBalancer.server.Port=42"
-- "traefik.TCP.Services.Service0.LoadBalancer.server.Weight=42"
-- "traefik.TCP.Services.Service1.LoadBalancer.Method=foobar"
- "traefik.TCP.Services.Service1.LoadBalancer.server.Port=42"
-- "traefik.TCP.Services.Service1.LoadBalancer.server.Weight=42"
diff --git a/docs/content/reference/static-configuration.md b/docs/content/reference/static-configuration.md
deleted file mode 100644
index 0101746b3..000000000
--- a/docs/content/reference/static-configuration.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Static Configuration
-
-## File
-
-```toml
---8<-- "content/reference/static-configuration.toml"
-```
-
-## CLI
-
-```txt
---8<-- "content/reference/static-configuration.txt"
-```
diff --git a/docs/content/reference/static-configuration.txt b/docs/content/reference/static-configuration.txt
deleted file mode 100644
index 4a69101be..000000000
--- a/docs/content/reference/static-configuration.txt
+++ /dev/null
@@ -1,203 +0,0 @@
---accesslog Access log settings (default "false")
---accesslog.bufferingsize Number of access log lines to process in a buffered way. Default 0. (default "0")
---accesslog.fields AccessLogFields (default "false")
---accesslog.fields.defaultmode Default mode for fields: keep | drop (default "keep")
---accesslog.fields.headers Headers to keep, drop or redact (default "false")
---accesslog.fields.headers.defaultmode Default mode for fields: keep | drop | redact (default "keep")
---accesslog.fields.headers.names Override mode for headers (default "map[]")
---accesslog.fields.names Override mode for fields (default "map[]")
---accesslog.filepath Access log file path. Stdout is used when omitted or empty
---accesslog.filters Access log filters, used to keep only specific access logs (default "false")
---accesslog.filters.minduration Keep access logs when request took longer than the specified duration (default "0s")
---accesslog.filters.retryattempts Keep access logs when at least one retry happened (default "false")
---accesslog.filters.statuscodes Keep access logs with status codes in the specified range (default "[]")
---accesslog.format Access log format: json | common (default "common")
---acme Enable ACME (Let's Encrypt): automatic SSL (default "false")
---acme.acmelogging Enable debug logging of ACME actions. (default "false")
---acme.caserver CA server to use.
---acme.dnschallenge Activate DNS-01 Challenge (default "false")
---acme.dnschallenge.delaybeforecheck Assume DNS propagates after a delay in seconds rather than finding and querying (default "0s")
- nameservers.
---acme.dnschallenge.disablepropagationcheck Disable the DNS propagation checks before notifying ACME that the DNS challenge (default "false")
- is ready. [not recommended]
---acme.dnschallenge.provider Use a DNS-01 based challenge provider rather than HTTPS.
---acme.dnschallenge.resolvers Use following DNS servers to resolve the FQDN authority.
---acme.domains CN and SANs (alternative domains) to each main domain using format: (default "[]")
- --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. No
- SANs for wildcards domain. Wildcard domains only accepted with DNSChallenge
---acme.email Email address used for registration
---acme.entrypoint EntryPoint to use.
---acme.httpchallenge Activate HTTP-01 Challenge (default "false")
---acme.httpchallenge.entrypoint HTTP challenge EntryPoint
---acme.keytype KeyType used for generating certificate private key. Allow value 'EC256',
- 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'
---acme.onhostrule Enable certificate generation on frontends Host rules. (default "false")
---acme.storage Storage to use.
---acme.tlschallenge Activate TLS-ALPN-01 Challenge (default "false")
---api Enable api/dashboard (default "false")
---api.dashboard Activate dashboard (default "true")
---api.entrypoint EntryPoint (default "traefik")
---api.middlewares Middleware list
---api.statistics Enable more detailed statistics (default "true")
---api.statistics.recenterrors Number of recent errors logged (default "10")
--c, --configfile Configuration file to use (TOML).
---entrypoints Entrypoints definition using format: --entryPoints='Name:http Address::8000 (default "map[]")
- Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442
- TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'
---global Global configuration options (default "true")
---global.checknewversion Periodically check if a new version has been released (default "true")
--d, --global.debug Enable debug mode (default "false")
---global.sendanonymoususage send periodically anonymous usage statistics (default "false")
---hostresolver Enable CNAME Flattening (default "false")
---hostresolver.cnameflattening A flag to enable/disable CNAME flattening (default "false")
---hostresolver.resolvconfig resolv.conf used for DNS resolving (default "/etc/resolv.conf")
---hostresolver.resolvdepth The maximal depth of DNS recursive resolving (default "5")
---log Traefik log settings (default "false")
---log.filepath Traefik log file path. Stdout is used when omitted or empty
---log.format Traefik log format: json | common (default "common")
---log.level Log level set to traefik logs.
---metrics Enable a metrics exporter (default "false")
---metrics.datadog DataDog metrics exporter type (default "false")
---metrics.datadog.address DataDog's address (default "localhost:8125")
---metrics.datadog.pushinterval DataDog push interval (default "10s")
---metrics.influxdb InfluxDB metrics exporter type (default "false")
---metrics.influxdb.address InfluxDB address (default "localhost:8089")
---metrics.influxdb.database InfluxDB database used when protocol is http
---metrics.influxdb.password InfluxDB password (only with http)
---metrics.influxdb.protocol InfluxDB address protocol (udp or http) (default "udp")
---metrics.influxdb.pushinterval InfluxDB push interval (default "10s")
---metrics.influxdb.retentionpolicy InfluxDB retention policy used when protocol is http
---metrics.influxdb.username InfluxDB username (only with http)
---metrics.prometheus Prometheus metrics exporter type (default "false")
---metrics.prometheus.buckets Buckets for latency metrics (default "[0.1 0.3 1.2 5]")
---metrics.prometheus.entrypoint EntryPoint (default "traefik")
---metrics.prometheus.middlewares Middlewares
---metrics.statsd StatsD metrics exporter type (default "false")
---metrics.statsd.address StatsD address (default "localhost:8125")
---metrics.statsd.pushinterval StatsD push interval (default "10s")
---ping Enable ping (default "false")
---ping.entrypoint Ping entryPoint (default "traefik")
---ping.middlewares Middleware list
---providers Providers configuration (default "false")
---providers.docker Enable Docker backend with default settings (default "false")
---providers.docker.constraints Filter services by constraint, matching with Traefik tags. (default "[]")
---providers.docker.defaultrule Default rule (default "Host(`{{ normalize .Name }}`)")
---providers.docker.endpoint Docker server endpoint. Can be a tcp or a unix socket endpoint (default "unix:///var/run/docker.sock")
---providers.docker.exposedbydefault Expose containers by default (default "true")
---providers.docker.network Default Docker network used
---providers.docker.swarmmode Use Docker on Swarm Mode (default "false")
---providers.docker.swarmmoderefreshseconds Polling interval for swarm mode (in seconds) (default "15")
---providers.docker.tls Enable Docker TLS support (default "false")
---providers.docker.tls.ca TLS CA
---providers.docker.tls.caoptional TLS CA.Optional (default "false")
---providers.docker.tls.cert TLS cert
---providers.docker.tls.insecureskipverify TLS insecure skip verify (default "false")
---providers.docker.tls.key TLS key
---providers.docker.usebindportip Use the ip address from the bound port, rather than from the inner network (default "false")
---providers.docker.watch Watch provider (default "true")
---providers.file Enable File backend with default settings (default "true")
---providers.file.debugloggeneratedtemplate Enable debug logging of generated configuration template. (default "false")
---providers.file.directory Load configuration from one or more .toml files in a directory
---providers.file.filename Override default configuration template. For advanced users :)
---providers.file.watch Watch provider (default "true")
---providers.kubernetes Enable Kubernetes backend with default settings (default "true")
---providers.kubernetes.certauthfilepath Kubernetes certificate authority file path (not needed for in-cluster client)
---providers.kubernetes.disablepasshostheaders Kubernetes disable PassHost Headers (default "false")
---providers.kubernetes.endpoint Kubernetes server endpoint (required for external cluster client)
---providers.kubernetes.ingressclass Value of kubernetes.io/ingress.class annotation to watch for
---providers.kubernetes.ingressendpoint Kubernetes Ingress Endpoint (default "false")
---providers.kubernetes.ingressendpoint.hostname Hostname used for Kubernetes Ingress endpoints
---providers.kubernetes.ingressendpoint.ip IP used for Kubernetes Ingress endpoints
---providers.kubernetes.ingressendpoint.publishedservice Published Kubernetes Service to copy status from
---providers.kubernetes.labelselector Kubernetes Ingress label selector to use
---providers.kubernetes.namespaces Kubernetes namespaces (default "[]")
---providers.kubernetes.token Kubernetes bearer token (not needed for in-cluster client)
---providers.kubernetescrd Enable Kubernetes backend with default settings (default "false")
---providers.kubernetescrd.certauthfilepath Kubernetes certificate authority file path (not needed for in-cluster client)
---providers.kubernetescrd.disablepasshostheaders Kubernetes disable PassHost Headers (default "false")
---providers.kubernetescrd.endpoint Kubernetes server endpoint (required for external cluster client)
---providers.kubernetescrd.ingressclass Value of kubernetes.io/ingress.class annotation to watch for
---providers.kubernetescrd.labelselector Kubernetes label selector to use
---providers.kubernetescrd.namespaces Kubernetes namespaces (default "[]")
---providers.kubernetescrd.token Kubernetes bearer token (not needed for in-cluster client)
---providers.marathon Enable Marathon backend with default settings (default "false")
---providers.marathon.basic Enable basic authentication (default "false")
---providers.marathon.basic.httpbasicauthuser Basic authentication User
---providers.marathon.basic.httpbasicpassword Basic authentication Password
---providers.marathon.constraints Filter services by constraint, matching with Traefik tags. (default "[]")
---providers.marathon.dcostoken DCOSToken for DCOS environment, This will override the Authorization header
---providers.marathon.defaultrule Default rule (default "Host(`{{ normalize .Name }}`)")
---providers.marathon.dialertimeout Set a dialer timeout for Marathon (default "5s")
---providers.marathon.endpoint Marathon server endpoint. You can also specify multiple endpoint for Marathon (default "http://127.0.0.1:8080")
---providers.marathon.exposedbydefault Expose Marathon apps by default (default "true")
---providers.marathon.filtermarathonconstraints Enable use of Marathon constraints in constraint filtering (default "false")
---providers.marathon.forcetaskhostname Force to use the task's hostname. (default "false")
---providers.marathon.keepalive Set a TCP Keep Alive time in seconds (default "10s")
---providers.marathon.respectreadinesschecks Filter out tasks with non-successful readiness checks during deployments (default "false")
---providers.marathon.responseheadertimeout Set a response header timeout for Marathon (default "1m0s")
---providers.marathon.tls Enable TLS support (default "false")
---providers.marathon.tls.ca TLS CA
---providers.marathon.tls.caoptional TLS CA.Optional (default "false")
---providers.marathon.tls.cert TLS cert
---providers.marathon.tls.insecureskipverify TLS insecure skip verify (default "false")
---providers.marathon.tls.key TLS key
---providers.marathon.tlshandshaketimeout Set a TLS handhsake timeout for Marathon (default "5s")
---providers.marathon.trace Display additional provider logs. (default "false")
---providers.marathon.watch Watch provider (default "true")
---providers.providersthrottleduration Backends throttle duration: minimum duration between 2 events from providers (default "2s")
- before applying a new configuration. It avoids unnecessary reloads if multiples
- events are sent in a short amount of time.
---providers.rancher Enable Rancher backend with default settings (default "true")
---providers.rancher.constraints Filter services by constraint, matching with Traefik tags. (default "[]")
---providers.rancher.defaultrule Default rule (default "Host(`{{ normalize .Name }}`)")
---providers.rancher.exposedbydefault Expose containers by default (default "true")
---providers.rancher.intervalpoll Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate) (default "false")
---providers.rancher.prefix Prefix used for accessing the Rancher metadata service (default "latest")
---providers.rancher.watch Watch provider (default "true")
---providers.rest Enable Rest backend with default settings (default "true")
---providers.rest.entrypoint EntryPoint (default "traefik")
---serverstransport Servers default transport (default "true")
---serverstransport.forwardingtimeouts Timeouts for requests forwarded to the backend servers (default "true")
---serverstransport.forwardingtimeouts.dialtimeout The amount of time to wait until a connection to a backend server can be (default "0s")
- established. Defaults to 30 seconds. If zero, no timeout exists
---serverstransport.forwardingtimeouts.responseheadertimeout The amount of time to wait for a server's response headers after fully writing (default "0s")
- the request (including its body, if any). If zero, no timeout exists
---serverstransport.insecureskipverify Disable SSL certificate verification (default "false")
---serverstransport.maxidleconnsperhost If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, (default "200")
- DefaultMaxIdleConnsPerHost is used
---serverstransport.rootcas Add cert file for self-signed certificate
---tracing OpenTracing configuration (default "false")
---tracing.backend Selects the tracking backend ('jaeger','zipkin','datadog','instana'). (default "jaeger")
---tracing.datadog Settings for DataDog (default "false")
---tracing.datadog.bagageprefixheadername specifies the header name prefix that will be used to store baggage items in a
- map.
---tracing.datadog.debug Enable DataDog debug. (default "false")
---tracing.datadog.globaltag Key:Value tag to be set on all the spans.
---tracing.datadog.localagenthostport Set datadog-agent's host:port that the reporter will used. Defaults to (default "localhost:8126")
- localhost:8126
---tracing.datadog.parentidheadername Specifies the header name that will be used to store the parent ID.
---tracing.datadog.prioritysampling Enable priority sampling. When using distributed tracing, this option must be (default "false")
- enabled in order to get all the parts of a distributed trace sampled.
---tracing.datadog.samplingpriorityheadername Specifies the header name that will be used to store the sampling priority.
---tracing.datadog.traceidheadername Specifies the header name that will be used to store the trace ID.
---tracing.instana Settings for Instana (default "false")
---tracing.instana.localagenthost Set instana-agent's host that the reporter will used. (default "localhost")
---tracing.instana.localagentport Set instana-agent's port that the reporter will used. (default "42699")
---tracing.instana.loglevel Set instana-agent's log level. ('error','warn','info','debug') (default "info")
---tracing.jaeger Settings for jaeger (default "false")
---tracing.jaeger.gen128bit generate 128 bit span IDs. (default "false")
---tracing.jaeger.localagenthostport set jaeger-agent's host:port that the reporter will used. (default "127.0.0.1:6831")
---tracing.jaeger.propagation which propgation format to use (jaeger/b3). (default "jaeger")
---tracing.jaeger.samplingparam set the sampling parameter. (default "1")
---tracing.jaeger.samplingserverurl set the sampling server url. (default "http://localhost:5778/sampling")
---tracing.jaeger.samplingtype set the sampling type. (default "const")
---tracing.jaeger.tracecontextheadername set the header to use for the trace-id. (default "uber-trace-id")
---tracing.servicename Set the name for this service (default "traefik")
---tracing.spannamelimit Set the maximum character limit for Span names (default 0 = no limit) (default "0")
---tracing.zipkin Settings for zipkin (default "false")
---tracing.zipkin.debug Enable Zipkin debug. (default "false")
---tracing.zipkin.httpendpoint HTTP Endpoint to report traces to. (default "http://localhost:9411/api/v1/spans")
---tracing.zipkin.id128bit Use Zipkin 128 bit root span IDs. (default "true")
---tracing.zipkin.samespan Use Zipkin SameSpan RPC style traces. (default "false")
---tracing.zipkin.samplerate The rate between 0.0 and 1.0 of requests to trace. (default "1")
--h, --help Print Help (this message) and exit
\ No newline at end of file
diff --git a/docs/content/reference/static-configuration/cli.md b/docs/content/reference/static-configuration/cli.md
new file mode 100644
index 000000000..1111439df
--- /dev/null
+++ b/docs/content/reference/static-configuration/cli.md
@@ -0,0 +1,5 @@
+# Static Configuration: CLI
+
+```txt
+--8<-- "content/reference/static-configuration/cli.txt"
+```
diff --git a/docs/content/reference/static-configuration/cli.txt b/docs/content/reference/static-configuration/cli.txt
new file mode 100644
index 000000000..22f9c6326
--- /dev/null
+++ b/docs/content/reference/static-configuration/cli.txt
@@ -0,0 +1,636 @@
+
+--accesslog (Default: "false")
+ Access log settings.
+
+--accesslog.bufferingsize (Default: "0")
+ Number of access log lines to process in a buffered way.
+
+--accesslog.fields.defaultmode (Default: "keep")
+ Default mode for fields: keep | drop
+
+--accesslog.fields.headers.defaultmode (Default: "keep")
+ Default mode for fields: keep | drop | redact
+
+--accesslog.fields.headers.names. (Default: "")
+ Override mode for headers
+
+--accesslog.fields.names. (Default: "")
+ Override mode for fields
+
+--accesslog.filepath (Default: "")
+ Access log file path. Stdout is used when omitted or empty.
+
+--accesslog.filters.minduration (Default: "0")
+ Keep access logs when request took longer than the specified duration.
+
+--accesslog.filters.retryattempts (Default: "false")
+ Keep access logs when at least one retry happened.
+
+--accesslog.filters.statuscodes (Default: "")
+ Keep access logs with status codes in the specified range.
+
+--accesslog.format (Default: "common")
+ Access log format: json | common
+
+--acme.acmelogging (Default: "false")
+ Enable debug logging of ACME actions.
+
+--acme.caserver (Default: "https://acme-v02.api.letsencrypt.org/directory")
+ CA server to use.
+
+--acme.dnschallenge (Default: "false")
+ Activate DNS-01 Challenge.
+
+--acme.dnschallenge.delaybeforecheck (Default: "0")
+ Assume DNS propagates after a delay in seconds rather than finding and querying
+ nameservers.
+
+--acme.dnschallenge.disablepropagationcheck (Default: "false")
+ Disable the DNS propagation checks before notifying ACME that the DNS challenge
+ is ready. [not recommended]
+
+--acme.dnschallenge.provider (Default: "")
+ Use a DNS-01 based challenge provider rather than HTTPS.
+
+--acme.dnschallenge.resolvers (Default: "")
+ Use following DNS servers to resolve the FQDN authority.
+
+--acme.domains (Default: "")
+ The list of domains for which certificates are generated on startup. Wildcard
+ domains only accepted with DNSChallenge.
+
+--acme.domains[n].main (Default: "")
+ Default subject name.
+
+--acme.domains[n].sans (Default: "")
+ Subject alternative names.
+
+--acme.email (Default: "")
+ Email address used for registration.
+
+--acme.entrypoint (Default: "")
+ EntryPoint to use.
+
+--acme.httpchallenge (Default: "false")
+ Activate HTTP-01 Challenge.
+
+--acme.httpchallenge.entrypoint (Default: "")
+ HTTP challenge EntryPoint
+
+--acme.keytype (Default: "RSA4096")
+ KeyType used for generating certificate private key. Allow value 'EC256',
+ 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+--acme.onhostrule (Default: "false")
+ Enable certificate generation on router Host rules.
+
+--acme.storage (Default: "acme.json")
+ Storage to use.
+
+--acme.tlschallenge (Default: "true")
+ Activate TLS-ALPN-01 Challenge.
+
+--api (Default: "false")
+ Enable api/dashboard.
+
+--api.dashboard (Default: "true")
+ Activate dashboard.
+
+--api.debug (Default: "false")
+ Enable additional endpoints for debugging and profiling.
+
+--api.entrypoint (Default: "traefik")
+ The entry point that the API handler will be bound to.
+
+--api.middlewares (Default: "")
+ Middleware list.
+
+--api.statistics (Default: "false")
+ Enable more detailed statistics.
+
+--api.statistics.recenterrors (Default: "10")
+ Number of recent errors logged.
+
+--configfile (Default: "")
+ Configuration file to use. If specified all other flags are ignored.
+
+--entrypoints. (Default: "false")
+ Entry points definition.
+
+--entrypoints..address (Default: "")
+ Entry point address.
+
+--entrypoints..forwardedheaders.insecure (Default: "false")
+ Trust all forwarded headers.
+
+--entrypoints..forwardedheaders.trustedips (Default: "")
+ Trust only forwarded headers from selected IPs.
+
+--entrypoints..proxyprotocol (Default: "false")
+ Proxy-Protocol configuration.
+
+--entrypoints..proxyprotocol.insecure (Default: "false")
+ Trust all.
+
+--entrypoints..proxyprotocol.trustedips (Default: "")
+ Trust only selected IPs.
+
+--entrypoints..transport.lifecycle.gracetimeout (Default: "10")
+ Duration to give active requests a chance to finish before Traefik stops.
+
+--entrypoints..transport.lifecycle.requestacceptgracetimeout (Default: "0")
+ Duration to keep accepting requests before Traefik initiates the graceful
+ shutdown procedure.
+
+--entrypoints..transport.respondingtimeouts.idletimeout (Default: "180")
+ IdleTimeout is the maximum amount duration an idle (keep-alive) connection will
+ remain idle before closing itself. If zero, no timeout is set.
+
+--entrypoints..transport.respondingtimeouts.readtimeout (Default: "0")
+ ReadTimeout is the maximum duration for reading the entire request, including
+ the body. If zero, no timeout is set.
+
+--entrypoints..transport.respondingtimeouts.writetimeout (Default: "0")
+ WriteTimeout is the maximum duration before timing out writes of the response.
+ If zero, no timeout is set.
+
+--global.checknewversion (Default: "true")
+ Periodically check if a new version has been released.
+
+--global.sendanonymoususage
+ Periodically send anonymous usage statistics. If the option is not specified, it
+ will be enabled by default.
+
+--hostresolver (Default: "false")
+ Enable CNAME Flattening.
+
+--hostresolver.cnameflattening (Default: "false")
+ A flag to enable/disable CNAME flattening
+
+--hostresolver.resolvconfig (Default: "/etc/resolv.conf")
+ resolv.conf used for DNS resolving
+
+--hostresolver.resolvdepth (Default: "5")
+ The maximal depth of DNS recursive resolving
+
+--log.filepath (Default: "")
+ Traefik log file path. Stdout is used when omitted or empty.
+
+--log.format (Default: "common")
+ Traefik log format: json | common
+
+--log.level (Default: "ERROR")
+ Log level set to traefik logs.
+
+--metrics.datadog (Default: "false")
+ DataDog metrics exporter type.
+
+--metrics.datadog.address (Default: "localhost:8125")
+ DataDog's address.
+
+--metrics.datadog.pushinterval (Default: "10")
+ DataDog push interval.
+
+--metrics.influxdb (Default: "false")
+ InfluxDB metrics exporter type.
+
+--metrics.influxdb.address (Default: "localhost:8089")
+ InfluxDB address.
+
+--metrics.influxdb.database (Default: "")
+ InfluxDB database used when protocol is http.
+
+--metrics.influxdb.password (Default: "")
+ InfluxDB password (only with http).
+
+--metrics.influxdb.protocol (Default: "udp")
+ InfluxDB address protocol (udp or http).
+
+--metrics.influxdb.pushinterval (Default: "10")
+ InfluxDB push interval.
+
+--metrics.influxdb.retentionpolicy (Default: "")
+ InfluxDB retention policy used when protocol is http.
+
+--metrics.influxdb.username (Default: "")
+ InfluxDB username (only with http).
+
+--metrics.prometheus (Default: "false")
+ Prometheus metrics exporter type.
+
+--metrics.prometheus.buckets (Default: "0.100000, 0.300000, 1.200000, 5.000000")
+ Buckets for latency metrics.
+
+--metrics.prometheus.entrypoint (Default: "traefik")
+ EntryPoint.
+
+--metrics.prometheus.middlewares (Default: "")
+ Middlewares.
+
+--metrics.statsd (Default: "false")
+ StatsD metrics exporter type.
+
+--metrics.statsd.address (Default: "localhost:8125")
+ StatsD address.
+
+--metrics.statsd.pushinterval (Default: "10")
+ StatsD push interval.
+
+--ping (Default: "false")
+ Enable ping.
+
+--ping.entrypoint (Default: "traefik")
+ Ping entryPoint.
+
+--ping.middlewares (Default: "")
+ Middleware list.
+
+--providers.docker (Default: "false")
+ Enable Docker backend with default settings.
+
+--providers.docker.constraints (Default: "")
+ Filter services by constraint, matching with Traefik tags.
+
+--providers.docker.constraints[n].key (Default: "")
+ The provider label that will be matched against. In practice, it is always
+ 'tag'.
+
+--providers.docker.constraints[n].mustmatch (Default: "false")
+ Whether the matching operator is equals or not equals.
+
+--providers.docker.constraints[n].value (Default: "")
+ The value that will be matched against.
+
+--providers.docker.defaultrule (Default: "Host(`{{ normalize .Name }}`)")
+ Default rule.
+
+--providers.docker.endpoint (Default: "unix:///var/run/docker.sock")
+ Docker server endpoint. Can be a tcp or a unix socket endpoint.
+
+--providers.docker.exposedbydefault (Default: "true")
+ Expose containers by default.
+
+--providers.docker.network (Default: "")
+ Default Docker network used.
+
+--providers.docker.swarmmode (Default: "false")
+ Use Docker on Swarm Mode.
+
+--providers.docker.swarmmoderefreshseconds (Default: "15")
+ Polling interval for swarm mode.
+
+--providers.docker.tls.ca (Default: "")
+ TLS CA
+
+--providers.docker.tls.caoptional (Default: "false")
+ TLS CA.Optional
+
+--providers.docker.tls.cert (Default: "")
+ TLS cert
+
+--providers.docker.tls.insecureskipverify (Default: "false")
+ TLS insecure skip verify
+
+--providers.docker.tls.key (Default: "")
+ TLS key
+
+--providers.docker.usebindportip (Default: "false")
+ Use the ip address from the bound port, rather than from the inner network.
+
+--providers.docker.watch (Default: "true")
+ Watch provider.
+
+--providers.file (Default: "false")
+ Enable File backend with default settings.
+
+--providers.file.debugloggeneratedtemplate (Default: "false")
+ Enable debug logging of generated configuration template.
+
+--providers.file.directory (Default: "")
+ Load configuration from one or more .toml files in a directory.
+
+--providers.file.filename (Default: "")
+ Override default configuration template. For advanced users :)
+
+--providers.file.watch (Default: "true")
+ Watch provider.
+
+--providers.kubernetes (Default: "false")
+ Enable Kubernetes backend with default settings.
+
+--providers.kubernetes.certauthfilepath (Default: "")
+ Kubernetes certificate authority file path (not needed for in-cluster client).
+
+--providers.kubernetes.disablepasshostheaders (Default: "false")
+ Kubernetes disable PassHost Headers.
+
+--providers.kubernetes.endpoint (Default: "")
+ Kubernetes server endpoint (required for external cluster client).
+
+--providers.kubernetes.ingressclass (Default: "")
+ Value of kubernetes.io/ingress.class annotation to watch for.
+
+--providers.kubernetes.ingressendpoint.hostname (Default: "")
+ Hostname used for Kubernetes Ingress endpoints.
+
+--providers.kubernetes.ingressendpoint.ip (Default: "")
+ IP used for Kubernetes Ingress endpoints.
+
+--providers.kubernetes.ingressendpoint.publishedservice (Default: "")
+ Published Kubernetes Service to copy status from.
+
+--providers.kubernetes.labelselector (Default: "")
+ Kubernetes Ingress label selector to use.
+
+--providers.kubernetes.namespaces (Default: "")
+ Kubernetes namespaces.
+
+--providers.kubernetes.token (Default: "")
+ Kubernetes bearer token (not needed for in-cluster client).
+
+--providers.kubernetescrd (Default: "false")
+ Enable Kubernetes backend with default settings.
+
+--providers.kubernetescrd.certauthfilepath (Default: "")
+ Kubernetes certificate authority file path (not needed for in-cluster client).
+
+--providers.kubernetescrd.disablepasshostheaders (Default: "false")
+ Kubernetes disable PassHost Headers.
+
+--providers.kubernetescrd.endpoint (Default: "")
+ Kubernetes server endpoint (required for external cluster client).
+
+--providers.kubernetescrd.ingressclass (Default: "")
+ Value of kubernetes.io/ingress.class annotation to watch for.
+
+--providers.kubernetescrd.labelselector (Default: "")
+ Kubernetes label selector to use.
+
+--providers.kubernetescrd.namespaces (Default: "")
+ Kubernetes namespaces.
+
+--providers.kubernetescrd.token (Default: "")
+ Kubernetes bearer token (not needed for in-cluster client).
+
+--providers.marathon (Default: "false")
+ Enable Marathon backend with default settings.
+
+--providers.marathon.basic.httpbasicauthuser (Default: "")
+ Basic authentication User.
+
+--providers.marathon.basic.httpbasicpassword (Default: "")
+ Basic authentication Password.
+
+--providers.marathon.constraints (Default: "")
+ Filter services by constraint, matching with Traefik tags.
+
+--providers.marathon.constraints[n].key (Default: "")
+ The provider label that will be matched against. In practice, it is always
+ 'tag'.
+
+--providers.marathon.constraints[n].mustmatch (Default: "false")
+ Whether the matching operator is equals or not equals.
+
+--providers.marathon.constraints[n].value (Default: "")
+ The value that will be matched against.
+
+--providers.marathon.dcostoken (Default: "")
+ DCOSToken for DCOS environment, This will override the Authorization header.
+
+--providers.marathon.defaultrule (Default: "Host(`{{ normalize .Name }}`)")
+ Default rule.
+
+--providers.marathon.dialertimeout (Default: "5")
+ Set a dialer timeout for Marathon.
+
+--providers.marathon.endpoint (Default: "http://127.0.0.1:8080")
+ Marathon server endpoint. You can also specify multiple endpoint for Marathon.
+
+--providers.marathon.exposedbydefault (Default: "true")
+ Expose Marathon apps by default.
+
+--providers.marathon.filtermarathonconstraints (Default: "false")
+ Enable use of Marathon constraints in constraint filtering.
+
+--providers.marathon.forcetaskhostname (Default: "false")
+ Force to use the task's hostname.
+
+--providers.marathon.keepalive (Default: "10")
+ Set a TCP Keep Alive time.
+
+--providers.marathon.respectreadinesschecks (Default: "false")
+ Filter out tasks with non-successful readiness checks during deployments.
+
+--providers.marathon.responseheadertimeout (Default: "60")
+ Set a response header timeout for Marathon.
+
+--providers.marathon.tls.ca (Default: "")
+ TLS CA
+
+--providers.marathon.tls.caoptional (Default: "false")
+ TLS CA.Optional
+
+--providers.marathon.tls.cert (Default: "")
+ TLS cert
+
+--providers.marathon.tls.insecureskipverify (Default: "false")
+ TLS insecure skip verify
+
+--providers.marathon.tls.key (Default: "")
+ TLS key
+
+--providers.marathon.tlshandshaketimeout (Default: "5")
+ Set a TLS handshake timeout for Marathon.
+
+--providers.marathon.trace (Default: "false")
+ Display additional provider logs.
+
+--providers.marathon.watch (Default: "true")
+ Watch provider.
+
+--providers.providersthrottleduration (Default: "2")
+ Backends throttle duration: minimum duration between 2 events from providers
+ before applying a new configuration. It avoids unnecessary reloads if multiples
+ events are sent in a short amount of time.
+
+--providers.rancher (Default: "false")
+ Enable Rancher backend with default settings.
+
+--providers.rancher.constraints (Default: "")
+ Filter services by constraint, matching with Traefik tags.
+
+--providers.rancher.constraints[n].key (Default: "")
+ The provider label that will be matched against. In practice, it is always
+ 'tag'.
+
+--providers.rancher.constraints[n].mustmatch (Default: "false")
+ Whether the matching operator is equals or not equals.
+
+--providers.rancher.constraints[n].value (Default: "")
+ The value that will be matched against.
+
+--providers.rancher.defaultrule (Default: "Host(`{{ normalize .Name }}`)")
+ Default rule.
+
+--providers.rancher.enableservicehealthfilter (Default: "true")
+ Filter services with unhealthy states and inactive states.
+
+--providers.rancher.exposedbydefault (Default: "true")
+ Expose containers by default.
+
+--providers.rancher.intervalpoll (Default: "false")
+ Poll the Rancher metadata service every 'rancher.refreshseconds' (less
+ accurate).
+
+--providers.rancher.prefix (Default: "latest")
+ Prefix used for accessing the Rancher metadata service.
+
+--providers.rancher.refreshseconds (Default: "15")
+ Defines the polling interval in seconds.
+
+--providers.rancher.watch (Default: "true")
+ Watch provider.
+
+--providers.rest (Default: "false")
+ Enable Rest backend with default settings.
+
+--providers.rest.entrypoint (Default: "traefik")
+ EntryPoint.
+
+--serverstransport.forwardingtimeouts.dialtimeout (Default: "30")
+ The amount of time to wait until a connection to a backend server can be
+ established. If zero, no timeout exists.
+
+--serverstransport.forwardingtimeouts.responseheadertimeout (Default: "0")
+ The amount of time to wait for a server's response headers after fully writing
+ the request (including its body, if any). If zero, no timeout exists.
+
+--serverstransport.insecureskipverify (Default: "false")
+ Disable SSL certificate verification.
+
+--serverstransport.maxidleconnsperhost (Default: "200")
+ If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero,
+ DefaultMaxIdleConnsPerHost is used
+
+--serverstransport.rootcas (Default: "")
+ Add cert file for self-signed certificate.
+
+--tracing (Default: "false")
+ OpenTracing configuration.
+
+--tracing.backend (Default: "jaeger")
+ Selects the tracking backend ('jaeger','zipkin','datadog','instana').
+
+--tracing.datadog (Default: "false")
+ Settings for DataDog.
+
+--tracing.datadog.bagageprefixheadername (Default: "")
+ Specifies the header name prefix that will be used to store baggage items in a
+ map.
+
+--tracing.datadog.debug (Default: "false")
+ Enable DataDog debug.
+
+--tracing.datadog.globaltag (Default: "")
+ Key:Value tag to be set on all the spans.
+
+--tracing.datadog.localagenthostport (Default: "localhost:8126")
+ Set datadog-agent's host:port that the reporter will used.
+
+--tracing.datadog.parentidheadername (Default: "")
+ Specifies the header name that will be used to store the parent ID.
+
+--tracing.datadog.prioritysampling (Default: "false")
+ Enable priority sampling. When using distributed tracing, this option must be
+ enabled in order to get all the parts of a distributed trace sampled.
+
+--tracing.datadog.samplingpriorityheadername (Default: "")
+ Specifies the header name that will be used to store the sampling priority.
+
+--tracing.datadog.traceidheadername (Default: "")
+ Specifies the header name that will be used to store the trace ID.
+
+--tracing.haystack (Default: "false")
+ Settings for Haystack.
+
+--tracing.haystack.baggageprefixheadername (Default: "")
+ specifies the header name prefix that will be used to store baggage items in a
+ map.
+
+--tracing.haystack.globaltag (Default: "")
+ Key:Value tag to be set on all the spans.
+
+--tracing.haystack.localagenthost (Default: "LocalAgentHost")
+ Set haystack-agent's host that the reporter will used.
+
+--tracing.haystack.localagentport (Default: "35000")
+ Set haystack-agent's port that the reporter will used.
+
+--tracing.haystack.parentidheadername (Default: "")
+ Specifies the header name that will be used to store the parent ID.
+
+--tracing.haystack.spanidheadername (Default: "")
+ Specifies the header name that will be used to store the span ID.
+
+--tracing.haystack.traceidheadername (Default: "")
+ Specifies the header name that will be used to store the trace ID.
+
+--tracing.instana (Default: "false")
+ Settings for Instana.
+
+--tracing.instana.localagenthost (Default: "localhost")
+ Set instana-agent's host that the reporter will used.
+
+--tracing.instana.localagentport (Default: "42699")
+ Set instana-agent's port that the reporter will used.
+
+--tracing.instana.loglevel (Default: "info")
+ Set instana-agent's log level. ('error','warn','info','debug')
+
+--tracing.jaeger (Default: "false")
+ Settings for jaeger.
+
+--tracing.jaeger.gen128bit (Default: "false")
+ Generate 128 bit span IDs.
+
+--tracing.jaeger.localagenthostport (Default: "127.0.0.1:6831")
+ Set jaeger-agent's host:port that the reporter will used.
+
+--tracing.jaeger.propagation (Default: "jaeger")
+ Which propgation format to use (jaeger/b3).
+
+--tracing.jaeger.samplingparam (Default: "1.000000")
+ Set the sampling parameter.
+
+--tracing.jaeger.samplingserverurl (Default: "http://localhost:5778/sampling")
+ Set the sampling server url.
+
+--tracing.jaeger.samplingtype (Default: "const")
+ Set the sampling type.
+
+--tracing.jaeger.tracecontextheadername (Default: "uber-trace-id")
+ Set the header to use for the trace-id.
+
+--tracing.servicename (Default: "traefik")
+ Set the name for this service.
+
+--tracing.spannamelimit (Default: "0")
+ Set the maximum character limit for Span names (default 0 = no limit).
+
+--tracing.zipkin (Default: "false")
+ Settings for zipkin.
+
+--tracing.zipkin.debug (Default: "false")
+ Enable Zipkin debug.
+
+--tracing.zipkin.httpendpoint (Default: "http://localhost:9411/api/v1/spans")
+ HTTP Endpoint to report traces to.
+
+--tracing.zipkin.id128bit (Default: "true")
+ Use Zipkin 128 bit root span IDs.
+
+--tracing.zipkin.samespan (Default: "false")
+ Use Zipkin SameSpan RPC style traces.
+
+--tracing.zipkin.samplerate (Default: "1.000000")
+ The rate between 0.0 and 1.0 of requests to trace.
diff --git a/docs/content/reference/static-configuration/env.md b/docs/content/reference/static-configuration/env.md
new file mode 100644
index 000000000..1b2d4075f
--- /dev/null
+++ b/docs/content/reference/static-configuration/env.md
@@ -0,0 +1,616 @@
+# Static Configuration: Environment variables
+
+`TRAEFIK_ACCESSLOG`:
+Access log settings. (Default: ```false```)
+
+`TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:
+Number of access log lines to process in a buffered way. (Default: ```0```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE`:
+Default mode for fields: keep | drop (Default: ```keep```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE`:
+Default mode for fields: keep | drop | redact (Default: ```keep```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_`:
+Override mode for headers
+
+`TRAEFIK_ACCESSLOG_FIELDS_NAMES_`:
+Override mode for fields
+
+`TRAEFIK_ACCESSLOG_FILEPATH`:
+Access log file path. Stdout is used when omitted or empty.
+
+`TRAEFIK_ACCESSLOG_FILTERS_MINDURATION`:
+Keep access logs when request took longer than the specified duration. (Default: ```0```)
+
+`TRAEFIK_ACCESSLOG_FILTERS_RETRYATTEMPTS`:
+Keep access logs when at least one retry happened. (Default: ```false```)
+
+`TRAEFIK_ACCESSLOG_FILTERS_STATUSCODES`:
+Keep access logs with status codes in the specified range.
+
+`TRAEFIK_ACCESSLOG_FORMAT`:
+Access log format: json | common (Default: ```common```)
+
+`TRAEFIK_ACME_ACMELOGGING`:
+Enable debug logging of ACME actions. (Default: ```false```)
+
+`TRAEFIK_ACME_CASERVER`:
+CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
+
+`TRAEFIK_ACME_DNSCHALLENGE`:
+Activate DNS-01 Challenge. (Default: ```false```)
+
+`TRAEFIK_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:
+Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+
+`TRAEFIK_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:
+Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`TRAEFIK_ACME_DNSCHALLENGE_PROVIDER`:
+Use a DNS-01 based challenge provider rather than HTTPS.
+
+`TRAEFIK_ACME_DNSCHALLENGE_RESOLVERS`:
+Use following DNS servers to resolve the FQDN authority.
+
+`TRAEFIK_ACME_DOMAINS`:
+The list of domains for which certificates are generated on startup. Wildcard domains only accepted with DNSChallenge.
+
+`TRAEFIK_ACME_DOMAINS[n]_MAIN`:
+Default subject name.
+
+`TRAEFIK_ACME_DOMAINS[n]_SANS`:
+Subject alternative names.
+
+`TRAEFIK_ACME_EMAIL`:
+Email address used for registration.
+
+`TRAEFIK_ACME_ENTRYPOINT`:
+EntryPoint to use.
+
+`TRAEFIK_ACME_HTTPCHALLENGE`:
+Activate HTTP-01 Challenge. (Default: ```false```)
+
+`TRAEFIK_ACME_HTTPCHALLENGE_ENTRYPOINT`:
+HTTP challenge EntryPoint
+
+`TRAEFIK_ACME_KEYTYPE`:
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
+
+`TRAEFIK_ACME_ONHOSTRULE`:
+Enable certificate generation on router Host rules. (Default: ```false```)
+
+`TRAEFIK_ACME_STORAGE`:
+Storage to use. (Default: ```acme.json```)
+
+`TRAEFIK_ACME_TLSCHALLENGE`:
+Activate TLS-ALPN-01 Challenge. (Default: ```true```)
+
+`TRAEFIK_API`:
+Enable api/dashboard. (Default: ```false```)
+
+`TRAEFIK_API_DASHBOARD`:
+Activate dashboard. (Default: ```true```)
+
+`TRAEFIK_API_DEBUG`:
+Enable additional endpoints for debugging and profiling. (Default: ```false```)
+
+`TRAEFIK_API_ENTRYPOINT`:
+The entry point that the API handler will be bound to. (Default: ```traefik```)
+
+`TRAEFIK_API_MIDDLEWARES`:
+Middleware list.
+
+`TRAEFIK_API_STATISTICS`:
+Enable more detailed statistics. (Default: ```false```)
+
+`TRAEFIK_API_STATISTICS_RECENTERRORS`:
+Number of recent errors logged. (Default: ```10```)
+
+`TRAEFIK_CONFIGFILE`:
+Configuration file to use. If specified all other flags are ignored. (Default: "")
+
+`TRAEFIK_ENTRYPOINTS_`:
+Entry points definition. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS__ADDRESS`:
+Entry point address.
+
+`TRAEFIK_ENTRYPOINTS__FORWARDEDHEADERS_INSECURE`:
+Trust all forwarded headers. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS__FORWARDEDHEADERS_TRUSTEDIPS`:
+Trust only forwarded headers from selected IPs.
+
+`TRAEFIK_ENTRYPOINTS__PROXYPROTOCOL`:
+Proxy-Protocol configuration. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS__PROXYPROTOCOL_INSECURE`:
+Trust all. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS__PROXYPROTOCOL_TRUSTEDIPS`:
+Trust only selected IPs.
+
+`TRAEFIK_ENTRYPOINTS__TRANSPORT_LIFECYCLE_GRACETIMEOUT`:
+Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
+
+`TRAEFIK_ENTRYPOINTS__TRANSPORT_LIFECYCLE_REQUESTACCEPTGRACETIMEOUT`:
+Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
+
+`TRAEFIK_ENTRYPOINTS__TRANSPORT_RESPONDINGTIMEOUTS_IDLETIMEOUT`:
+IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
+
+`TRAEFIK_ENTRYPOINTS__TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT`:
+ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
+
+`TRAEFIK_ENTRYPOINTS__TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT`:
+WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
+
+`TRAEFIK_GLOBAL_CHECKNEWVERSION`:
+Periodically check if a new version has been released. (Default: ```false```)
+
+`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:
+Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default.
+
+`TRAEFIK_HOSTRESOLVER`:
+Enable CNAME Flattening. (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER_CNAMEFLATTENING`:
+A flag to enable/disable CNAME flattening (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER_RESOLVCONFIG`:
+resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
+
+`TRAEFIK_HOSTRESOLVER_RESOLVDEPTH`:
+The maximal depth of DNS recursive resolving (Default: ```5```)
+
+`TRAEFIK_LOG_FILEPATH`:
+Traefik log file path. Stdout is used when omitted or empty.
+
+`TRAEFIK_LOG_FORMAT`:
+Traefik log format: json | common (Default: ```common```)
+
+`TRAEFIK_LOG_LEVEL`:
+Log level set to traefik logs. (Default: ```ERROR```)
+
+`TRAEFIK_METRICS_DATADOG`:
+DataDog metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_DATADOG_ADDRESS`:
+DataDog's address. (Default: ```localhost:8125```)
+
+`TRAEFIK_METRICS_DATADOG_PUSHINTERVAL`:
+DataDog push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB`:
+InfluxDB metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDRESS`:
+InfluxDB address. (Default: ```localhost:8089```)
+
+`TRAEFIK_METRICS_INFLUXDB_DATABASE`:
+InfluxDB database used when protocol is http.
+
+`TRAEFIK_METRICS_INFLUXDB_PASSWORD`:
+InfluxDB password (only with http).
+
+`TRAEFIK_METRICS_INFLUXDB_PROTOCOL`:
+InfluxDB address protocol (udp or http). (Default: ```udp```)
+
+`TRAEFIK_METRICS_INFLUXDB_PUSHINTERVAL`:
+InfluxDB push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB_RETENTIONPOLICY`:
+InfluxDB retention policy used when protocol is http.
+
+`TRAEFIK_METRICS_INFLUXDB_USERNAME`:
+InfluxDB username (only with http).
+
+`TRAEFIK_METRICS_PROMETHEUS`:
+Prometheus metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:
+Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
+
+`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:
+EntryPoint. (Default: ```traefik```)
+
+`TRAEFIK_METRICS_PROMETHEUS_MIDDLEWARES`:
+Middlewares.
+
+`TRAEFIK_METRICS_STATSD`:
+StatsD metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_STATSD_ADDRESS`:
+StatsD address. (Default: ```localhost:8125```)
+
+`TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:
+StatsD push interval. (Default: ```10```)
+
+`TRAEFIK_PING`:
+Enable ping. (Default: ```false```)
+
+`TRAEFIK_PING_ENTRYPOINT`:
+Ping entryPoint. (Default: ```traefik```)
+
+`TRAEFIK_PING_MIDDLEWARES`:
+Middleware list.
+
+`TRAEFIK_PROVIDERS_DOCKER`:
+Enable Docker backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS`:
+Filter services by constraint, matching with Traefik tags.
+
+`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS[n]_KEY`:
+The provider label that will be matched against. In practice, it is always 'tag'.
+
+`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS[n]_MUSTMATCH`:
+Whether the matching operator is equals or not equals. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS[n]_VALUE`:
+The value that will be matched against.
+
+`TRAEFIK_PROVIDERS_DOCKER_DEFAULTRULE`:
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_DOCKER_ENDPOINT`:
+Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
+
+`TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT`:
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_DOCKER_NETWORK`:
+Default Docker network used.
+
+`TRAEFIK_PROVIDERS_DOCKER_SWARMMODE`:
+Use Docker on Swarm Mode. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_SWARMMODEREFRESHSECONDS`:
+Polling interval for swarm mode. (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:
+TLS CA
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:
+TLS cert
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_INSECURESKIPVERIFY`:
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_KEY`:
+TLS key
+
+`TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`:
+Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_WATCH`:
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_FILE`:
+Enable File backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:
+Enable debug logging of generated configuration template. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_FILE_DIRECTORY`:
+Load configuration from one or more .toml files in a directory.
+
+`TRAEFIK_PROVIDERS_FILE_FILENAME`:
+Override default configuration template. For advanced users :)
+
+`TRAEFIK_PROVIDERS_FILE_WATCH`:
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_KUBERNETES`:
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD`:
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLEPASSHOSTHEADERS`:
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_INGRESSCLASS`:
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_LABELSELECTOR`:
+Kubernetes label selector to use.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:
+Kubernetes bearer token (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETES_CERTAUTHFILEPATH`:
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETES_DISABLEPASSHOSTHEADERS`:
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETES_ENDPOINT`:
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSCLASS`:
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_HOSTNAME`:
+Hostname used for Kubernetes Ingress endpoints.
+
+`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_IP`:
+IP used for Kubernetes Ingress endpoints.
+
+`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_PUBLISHEDSERVICE`:
+Published Kubernetes Service to copy status from.
+
+`TRAEFIK_PROVIDERS_KUBERNETES_LABELSELECTOR`:
+Kubernetes Ingress label selector to use.
+
+`TRAEFIK_PROVIDERS_KUBERNETES_NAMESPACES`:
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETES_TOKEN`:
+Kubernetes bearer token (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_MARATHON`:
+Enable Marathon backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICAUTHUSER`:
+Basic authentication User.
+
+`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICPASSWORD`:
+Basic authentication Password.
+
+`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS`:
+Filter services by constraint, matching with Traefik tags.
+
+`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS[n]_KEY`:
+The provider label that will be matched against. In practice, it is always 'tag'.
+
+`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS[n]_MUSTMATCH`:
+Whether the matching operator is equals or not equals. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS[n]_VALUE`:
+The value that will be matched against.
+
+`TRAEFIK_PROVIDERS_MARATHON_DCOSTOKEN`:
+DCOSToken for DCOS environment, This will override the Authorization header.
+
+`TRAEFIK_PROVIDERS_MARATHON_DEFAULTRULE`:
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_MARATHON_DIALERTIMEOUT`:
+Set a dialer timeout for Marathon. (Default: ```5```)
+
+`TRAEFIK_PROVIDERS_MARATHON_ENDPOINT`:
+Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
+
+`TRAEFIK_PROVIDERS_MARATHON_EXPOSEDBYDEFAULT`:
+Expose Marathon apps by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_MARATHON_FILTERMARATHONCONSTRAINTS`:
+Enable use of Marathon constraints in constraint filtering. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_FORCETASKHOSTNAME`:
+Force to use the task's hostname. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_KEEPALIVE`:
+Set a TCP Keep Alive time. (Default: ```10```)
+
+`TRAEFIK_PROVIDERS_MARATHON_RESPECTREADINESSCHECKS`:
+Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_RESPONSEHEADERTIMEOUT`:
+Set a response header timeout for Marathon. (Default: ```60```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLSHANDSHAKETIMEOUT`:
+Set a TLS handshake timeout for Marathon. (Default: ```5```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:
+TLS CA
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:
+TLS cert
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_INSECURESKIPVERIFY`:
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_KEY`:
+TLS key
+
+`TRAEFIK_PROVIDERS_MARATHON_TRACE`:
+Display additional provider logs. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_WATCH`:
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_PROVIDERSTHROTTLEDURATION`:
+Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_RANCHER`:
+Enable Rancher backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS`:
+Filter services by constraint, matching with Traefik tags.
+
+`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS[n]_KEY`:
+The provider label that will be matched against. In practice, it is always 'tag'.
+
+`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS[n]_MUSTMATCH`:
+Whether the matching operator is equals or not equals. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS[n]_VALUE`:
+The value that will be matched against.
+
+`TRAEFIK_PROVIDERS_RANCHER_DEFAULTRULE`:
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_RANCHER_ENABLESERVICEHEALTHFILTER`:
+Filter services with unhealthy states and inactive states. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_RANCHER_EXPOSEDBYDEFAULT`:
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_RANCHER_INTERVALPOLL`:
+Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_PREFIX`:
+Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
+
+`TRAEFIK_PROVIDERS_RANCHER_REFRESHSECONDS`:
+Defines the polling interval in seconds. (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_RANCHER_WATCH`:
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_REST`:
+Enable Rest backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REST_ENTRYPOINT`:
+EntryPoint. (Default: ```traefik```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:
+The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_RESPONSEHEADERTIMEOUT`:
+The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
+
+`TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY`:
+Disable SSL certificate verification. (Default: ```false```)
+
+`TRAEFIK_SERVERSTRANSPORT_MAXIDLECONNSPERHOST`:
+If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
+
+`TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:
+Add cert file for self-signed certificate.
+
+`TRAEFIK_TRACING`:
+OpenTracing configuration. (Default: ```false```)
+
+`TRAEFIK_TRACING_BACKEND`:
+Selects the tracking backend ('jaeger','zipkin','datadog','instana'). (Default: ```jaeger```)
+
+`TRAEFIK_TRACING_DATADOG`:
+Settings for DataDog. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_BAGAGEPREFIXHEADERNAME`:
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`TRAEFIK_TRACING_DATADOG_DEBUG`:
+Enable DataDog debug. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:
+Key:Value tag to be set on all the spans.
+
+`TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:
+Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+
+`TRAEFIK_TRACING_DATADOG_PARENTIDHEADERNAME`:
+Specifies the header name that will be used to store the parent ID.
+
+`TRAEFIK_TRACING_DATADOG_PRIORITYSAMPLING`:
+Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_SAMPLINGPRIORITYHEADERNAME`:
+Specifies the header name that will be used to store the sampling priority.
+
+`TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:
+Specifies the header name that will be used to store the trace ID.
+
+`TRAEFIK_TRACING_HAYSTACK`:
+Settings for Haystack. (Default: ```false```)
+
+`TRAEFIK_TRACING_HAYSTACK_BAGGAGEPREFIXHEADERNAME`:
+specifies the header name prefix that will be used to store baggage items in a map.
+
+`TRAEFIK_TRACING_HAYSTACK_GLOBALTAG`:
+Key:Value tag to be set on all the spans.
+
+`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:
+Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+
+`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:
+Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+
+`TRAEFIK_TRACING_HAYSTACK_PARENTIDHEADERNAME`:
+Specifies the header name that will be used to store the parent ID.
+
+`TRAEFIK_TRACING_HAYSTACK_SPANIDHEADERNAME`:
+Specifies the header name that will be used to store the span ID.
+
+`TRAEFIK_TRACING_HAYSTACK_TRACEIDHEADERNAME`:
+Specifies the header name that will be used to store the trace ID.
+
+`TRAEFIK_TRACING_INSTANA`:
+Settings for Instana. (Default: ```false```)
+
+`TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:
+Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+
+`TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:
+Set instana-agent's port that the reporter will used. (Default: ```42699```)
+
+`TRAEFIK_TRACING_INSTANA_LOGLEVEL`:
+Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+
+`TRAEFIK_TRACING_JAEGER`:
+Settings for jaeger. (Default: ```false```)
+
+`TRAEFIK_TRACING_JAEGER_GEN128BIT`:
+Generate 128 bit span IDs. (Default: ```false```)
+
+`TRAEFIK_TRACING_JAEGER_LOCALAGENTHOSTPORT`:
+Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+
+`TRAEFIK_TRACING_JAEGER_PROPAGATION`:
+Which propgation format to use (jaeger/b3). (Default: ```jaeger```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM`:
+Set the sampling parameter. (Default: ```1.000000```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGSERVERURL`:
+Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGTYPE`:
+Set the sampling type. (Default: ```const```)
+
+`TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:
+Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+
+`TRAEFIK_TRACING_SERVICENAME`:
+Set the name for this service. (Default: ```traefik```)
+
+`TRAEFIK_TRACING_SPANNAMELIMIT`:
+Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
+
+`TRAEFIK_TRACING_ZIPKIN`:
+Settings for zipkin. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_DEBUG`:
+Enable Zipkin debug. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_HTTPENDPOINT`:
+HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v1/spans```)
+
+`TRAEFIK_TRACING_ZIPKIN_ID128BIT`:
+Use Zipkin 128 bit root span IDs. (Default: ```true```)
+
+`TRAEFIK_TRACING_ZIPKIN_SAMESPAN`:
+Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_SAMPLERATE`:
+The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
diff --git a/docs/content/reference/static-configuration/file.md b/docs/content/reference/static-configuration/file.md
new file mode 100644
index 000000000..c103de7f7
--- /dev/null
+++ b/docs/content/reference/static-configuration/file.md
@@ -0,0 +1,7 @@
+# Static Configuration: File
+
+## TOML
+
+```toml
+--8<-- "content/reference/static-configuration/file.toml"
+```
diff --git a/docs/content/reference/static-configuration.toml b/docs/content/reference/static-configuration/file.toml
similarity index 92%
rename from docs/content/reference/static-configuration.toml
rename to docs/content/reference/static-configuration/file.toml
index f22d6d3c6..05c269221 100644
--- a/docs/content/reference/static-configuration.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -1,5 +1,4 @@
[Global]
- Debug = true
CheckNewVersion = true
SendAnonymousUsage = true
@@ -31,8 +30,8 @@
TrustedIPs = ["foobar", "foobar"]
[Providers]
-
ProvidersThrottleDuration = 42
+
[Providers.Docker]
Watch = true
Endpoint = "foobar"
@@ -52,18 +51,21 @@
Key = "foobar"
MustMatch = true
Regex = "foobar"
+
[Providers.Docker.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
+
[Providers.File]
Directory = "foobar"
Watch = true
Filename = "foobar"
DebugLogGeneratedTemplate = true
TraefikFile = "foobar"
+
[Providers.Marathon]
Trace = true
Watch = true
@@ -88,6 +90,7 @@
Key = "foobar"
MustMatch = true
Regex = "foobar"
+
[Providers.Marathon.TLS]
CA = "foobar"
CAOptional = true
@@ -97,6 +100,7 @@
[Providers.Marathon.Basic]
HTTPBasicAuthUser = "foobar"
HTTPBasicPassword = "foobar"
+
[Providers.Kubernetes]
Endpoint = "foobar"
Token = "foobar"
@@ -109,6 +113,7 @@
IP = "foobar"
Hostname = "foobar"
PublishedService = "foobar"
+
[Providers.KubernetesCRD]
Endpoint = "foobar"
Token = "foobar"
@@ -117,9 +122,29 @@
Namespaces = ["foobar", "foobar"]
LabelSelector = "foobar"
IngressClass = "foobar"
+
[Providers.Rest]
EntryPoint = "foobar"
+ [Providers.Rancher]
+ Watch = true
+ DefaultRule = "foobar"
+ ExposedByDefault = true
+ EnableServiceHealthFilter = true
+ RefreshSeconds = 42
+ IntervalPoll = true
+ Prefix = "foobar"
+
+ [[Providers.Rancher.Constraints]]
+ Key = "foobar"
+ MustMatch = true
+ Regex = "foobar"
+
+ [[Providers.Rancher.Constraints]]
+ Key = "foobar"
+ MustMatch = true
+ Regex = "foobar"
+
[API]
EntryPoint = "foobar"
Dashboard = true
@@ -128,16 +153,20 @@
RecentErrors = 42
[Metrics]
+
[Metrics.Prometheus]
Buckets = [42.0, 42.0]
EntryPoint = "foobar"
Middlewares = ["foobar", "foobar"]
+
[Metrics.Datadog]
Address = "foobar"
PushInterval = "foobar"
+
[Metrics.StatsD]
Address = "foobar"
PushInterval = "foobar"
+
[Metrics.InfluxDB]
Address = "foobar"
Protocol = "foobar"
@@ -179,6 +208,7 @@
Backend = "foobar"
ServiceName = "foobar"
SpanNameLimit = 42
+
[Tracing.Jaeger]
SamplingServerURL = "foobar"
SamplingType = "foobar"
@@ -187,12 +217,14 @@
Gen128Bit = true
Propagation = "foobar"
TraceContextHeaderName = "foobar"
+
[Tracing.Zipkin]
HTTPEndpoint = "foobar"
SameSpan = true
ID128Bit = true
Debug = true
SampleRate = 42.0
+
[Tracing.DataDog]
LocalAgentHostPort = "foobar"
GlobalTag = "foobar"
@@ -202,10 +234,11 @@
ParentIDHeaderName = "foobar"
SamplingPriorityHeaderName = "foobar"
BagagePrefixHeaderName = "foobar"
+
[Tracing.Instana]
LocalAgentHost = "foobar"
LocalAgentPort = 42
- Level = "foobar"
+ LogLevel = "foobar"
[HostResolver]
CnameFlattening = true
@@ -220,13 +253,16 @@
EntryPoint = "foobar"
KeyType = "foobar"
OnHostRule = true
+
[ACME.DNSChallenge]
Provider = "foobar"
DelayBeforeCheck = 42
Resolvers = ["foobar", "foobar"]
DisablePropagationCheck = true
+
[ACME.HTTPChallenge]
EntryPoint = "foobar"
+
[ACME.TLSChallenge]
[[ACME.Domains]]
diff --git a/docs/content/reference/static-configuration/overview.md b/docs/content/reference/static-configuration/overview.md
new file mode 100644
index 000000000..57bf649d0
--- /dev/null
+++ b/docs/content/reference/static-configuration/overview.md
@@ -0,0 +1,5 @@
+# Static Configuration
+
+- [File](./file.md)
+- [CLI](./cli.md)
+- [Environment Variables](./env.md)
diff --git a/docs/content/routing/entrypoints.md b/docs/content/routing/entrypoints.md
index 8a72b7876..2734bf54c 100644
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -47,7 +47,7 @@ See the complete reference for the list of available options:
[EntryPoints]
[EntryPoints.EntryPoint0]
- Address = "foobar"
+ Address = ":8888"
[EntryPoints.EntryPoint0.Transport]
[EntryPoints.EntryPoint0.Transport.LifeCycle]
RequestAcceptGraceTimeout = 42
@@ -65,52 +65,18 @@ See the complete reference for the list of available options:
```
```ini tab="CLI"
-Name:EntryPoint0
-Address:foobar
-Transport.LifeCycle.RequestAcceptGraceTimeout:42
-Transport.LifeCycle.GraceTimeOut:42
-Transport.RespondingTimeouts.ReadTimeout:42
-Transport.RespondingTimeouts.WriteTimeout:42
-Transport.RespondingTimeouts.IdleTimeout:42
-ProxyProtocol.Insecure:true
-ProxyProtocol.TrustedIPs:foobar,foobar
-ForwardedHeaders.Insecure:true
-ForwardedHeaders.TrustedIPs:foobar,foobar
+--entryPoints.EntryPoint0.Address=:8888
+--entryPoints.EntryPoint0.Transport.LifeCycle.RequestAcceptGraceTimeout=42
+--entryPoints.EntryPoint0.Transport.LifeCycle.GraceTimeOut=42
+--entryPoints.EntryPoint0.Transport.RespondingTimeouts.ReadTimeout=42
+--entryPoints.EntryPoint0.Transport.RespondingTimeouts.WriteTimeout=42
+--entryPoints.EntryPoint0.Transport.RespondingTimeouts.IdleTimeout=42
+--entryPoints.EntryPoint0.ProxyProtocol.Insecure=true
+--entryPoints.EntryPoint0.ProxyProtocol.TrustedIPs=foobar,foobar
+--entryPoints.EntryPoint0.ForwardedHeaders.Insecure=true
+--entryPoints.EntryPoint0.ForwardedHeaders.TrustedIPs=foobar,foobar
```
-??? example "Using the CLI"
-
- Here is an example of using the CLI to define `entrypoints`:
-
- ```shell
- --entryPoints='Name:http Address::80'
- --entryPoints='Name:https Address::443'
- ```
-
- !!! note
- The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists inside an option.
- The option names are case-insensitive.
-
- !!! warning "Using Docker Compose Files"
-
- The syntax for passing arguments inside a docker compose file is a little different. Here are two examples.
-
- ```yaml
- traefik:
- image: traefik:v2.0 # The official v2.0 Traefik docker image
- command:
- - --defaultentrypoints=powpow
- - "--entryPoints=Name:powpow Address::42 Compress:true"
- ```
-
- or
-
- ```yaml
- traefik:
- image: traefik:v2.0 # The official v2.0 Traefik docker image
- command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
- ```
-
## ProxyProtocol
Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
@@ -128,9 +94,10 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
IPs in `trustedIPs` only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.
-??? example "Insecure Mode -- Testing Environnement Only"
+??? example "Insecure Mode -- Testing Environment Only"
- In a test environments, you can configure Traefik to trust every incoming connection. Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
+ In a test environments, you can configure Traefik to trust every incoming connection.
+ Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
```toml
[entryPoints]
diff --git a/docs/content/routing/overview.md b/docs/content/routing/overview.md
index 8c165c239..8fbb01242 100644
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@@ -3,7 +3,7 @@
What's Happening to the Requests?
{: .subtitle }
-Let's zoom on Traefik's architecture and talk about the components that enable the routes to be created.
+Let's zoom in on Traefik's architecture and talk about the components that enable the routes to be created.
First, when you start Traefik, you define [entrypoints](../entrypoints) (in their most basic forms, they are port numbers).
Then, connected to these entrypoints, [routers](../routers) analyze the incoming requests to see if they match a set of [rules](../routers#rule).
@@ -14,7 +14,7 @@ If they do, the router might transform the request using pieces of [middleware](
## Clear Responsibilities
- [_Providers_](../providers/overview.md) discover the services that live on your infrastructure (their IP, health, ...)
-- [_Entrypoints_](./entrypoints.md) listen for incomming traffic (ports, ...)
+- [_Entrypoints_](./entrypoints.md) listen for incoming traffic (ports, ...)
- [_Routers_](./routers/index.md) analyse the requests (host, path, headers, SSL, ...)
- [_Services_](./services/index.md) forward the request to your services (load balancing, ...)
- [_Middlewares_](../middlewares/overview.md) may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)
diff --git a/docs/content/routing/routers/index.md b/docs/content/routing/routers/index.md
index 0f6d5f1ac..0dfaa2348 100644
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@@ -51,7 +51,7 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie
### EntryPoints
If not specified, HTTP routers will accept requests from all defined entrypoints.
-If you want to limit the router scope to a set of entrypoint, set the entrypoints option.
+If you want to limit the router scope to a set of entrypoints, set the entrypoints option.
??? example "Listens to Every EntryPoint"
@@ -92,7 +92,7 @@ If you want to limit the router scope to a set of entrypoint, set the entrypoint
### Rule
Rules are a set of matchers that determine if a particular request matches specific criteria.
-If the rule is verified, then the router becomes active and calls middlewares, then forward the request to the service.
+If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.
??? example "Host is traefik.io"
@@ -107,16 +107,16 @@ If the rule is verified, then the router becomes active and calls middlewares, t
```
The table below lists all the available matchers:
-| Rule | Description |
-|--------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
-| ``Headers(`key`, `value`)`` | Check if there is a key `key`defined in the headers, with the value `value` |
-| ``HeadersRegexp(`key`, `regexp`)`` | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
-| ``Host(`domain-1`, ...)`` | Check if the request domain targets one of the given `domains`. |
-| ``HostRegexp(`traefik.io`, `{subdomain:[a-z]+}.traefik.io`, ...)`` | Check if the request domain matches the given `regexp`. |
-| `Method(methods, ...)` | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) |
-| ``Path(`path`, `/articles/{category}/{id:[0-9]+}`, ...)`` | Match exact request path. It accepts a sequence of literal and regular expression paths. |
-| ``PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)`` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. |
-| ``Query(`foo=bar`, `bar=baz`)`` | Match` Query String parameters. It accepts a sequence of key=value pairs. |
+| Rule | Description |
+|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+| ```Headers(`key`, `value`)``` | Check if there is a key `key`defined in the headers, with the value `value` |
+| ```HeadersRegexp(`key`, `regexp`)``` | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
+| ```Host(`domain-1`, ...)``` | Check if the request domain targets one of the given `domains`. |
+| ```HostRegexp(`traefik.io`, `{subdomain:[a-z]+}.traefik.io`, ...)``` | Check if the request domain matches the given `regexp`. |
+| `Method(methods, ...)` | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) |
+| ```Path(`path`, `/articles/{category}/{id:[0-9]+}`, ...)``` | Match exact request path. It accepts a sequence of literal and regular expression paths. |
+| ```PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)``` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. |
+| ```Query(`foo=bar`, `bar=baz`)``` | Match` Query String parameters. It accepts a sequence of key=value pairs. |
!!! important "Regexp Syntax"
@@ -156,7 +156,9 @@ Services are the target for the router.
### TLS
-When specifying a TLS section, you tell Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore HTTP (non tls) requests).
+#### General
+
+ When a TLS section is specified, it instructs Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore HTTP (non TLS) requests).
Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services).
??? example "Configuring the router to accept HTTPS requests only"
@@ -171,9 +173,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
!!! note "HTTPS & ACME"
- In the current version, with [ACME](../../https-tls/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
- In the near future, options will be available to enable fine-grain control of the TLS parameters.
-
+ In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
+
!!! note "Passthrough"
On TCP routers, you can configure a passthrough option so that Traefik doesn't terminate the TLS connection.
@@ -186,27 +187,52 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
```toml
[http.routers]
- [http.routers.Router-1-https]
+ [http.routers.my-https-router]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
- [http.routers.Router-1.tls] # will terminate the TLS request
+ [http.routers.my-https-router.tls] # will terminate the TLS request
- [http.routers.Router-1-http]
+ [http.routers.my-http-router]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
```
+#### `Options`
+
+The `Options` field enables fine-grained control of the TLS parameters.
+It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
+
+??? example "Configuring the tls options"
+
+ ```toml
+ [http.routers]
+ [http.routers.Router-1]
+ rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
+ service = "service-id"
+ [http.routers.Router-1.tls] # will terminate the TLS request
+ options = "foo"
+
+
+ [tlsOptions]
+ [tlsOptions.foo]
+ minVersion = "VersionTLS12"
+ cipherSuites = [
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384"
+ ]
+ ```
+
## Configuring TCP Routers
### General
-If both HTTP routers and TCP routers listen to the same entrypoints, the TCP routers will apply *before* the HTTP routers.
+If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply *before* the HTTP routers.
If no matching route is found for the TCP routers, then the HTTP routers will take over.
### EntryPoints
-If not specified, TCP routers will accept requests from all defined entrypoints.
-If you want to limit the router scope to a set of entrypoints, set the entrypoints option.
+If not specified, TCP routers will accept requests from all defined entry points.
+If you want to limit the router scope to a set of entry points, set the entry points option.
??? example "Listens to Every EntryPoint"
@@ -248,9 +274,9 @@ If you want to limit the router scope to a set of entrypoints, set the entrypoin
### Rule
-| Rule | Description |
-|------------------------------|-------------------------------------------------------------------------|
-| ``HostSNI(`domain-1`, ...)`` | Check if the Server Name Indication corresponds to the given `domains`. |
+| Rule | Description |
+|--------------------------------|-------------------------------------------------------------------------|
+| ```HostSNI(`domain-1`, ...)``` | Check if the Server Name Indication corresponds to the given `domains`. |
!!! important "HostSNI & TLS"
@@ -269,15 +295,17 @@ Services are the target for the router.
### TLS
-When specifying a TLS section, you tell Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-tls requests).
-By default, Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services), but you can tell Traefik that the request should pass through (keeping the encrypted data) and be forwarded to the service "as is".
+#### General
+
+ When a TLS section is specified, it instructs Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-TLS requests).
+ By default, Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services), but Traefik can be configured in order to let the requests pass through (keeping the data encrypted), and be forwarded to the service "as is".
??? example "Configuring TLS Termination"
```toml
[tcp.routers]
[tcp.routers.Router-1]
- rule = "Host(`foo-domain`)"
+ rule = "HostSNI(`foo-domain`)"
service = "service-id"
[tcp.routers.Router-1.tls] # will terminate the TLS request by default
```
@@ -287,7 +315,7 @@ By default, Traefik will terminate the SSL connections (meaning that it will sen
```toml
[tcp.routers]
[tcp.routers.Router-1]
- rule = "Host(`foo-domain`)"
+ rule = "HostSNI(`foo-domain`)"
service = "service-id"
[tcp.routers.Router-1.tls]
passthrough=true
@@ -295,5 +323,29 @@ By default, Traefik will terminate the SSL connections (meaning that it will sen
!!! note "TLS & ACME"
- In the current version, with [ACME](../../https-tls/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
- In the near future, options will be available to enable fine-grain control of the TLS parameters.
+ In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
+
+#### `Options`
+
+The `Options` field enables fine-grained control of the TLS parameters.
+It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
+
+??? example "Configuring the tls options"
+
+ ```toml
+ [tcp.routers]
+ [tcp.routers.Router-1]
+ rule = "HostSNI(`foo-domain`)"
+ service = "service-id"
+ [tcp.routers.Router-1.tls] # will terminate the TLS request
+ options = "foo"
+
+
+ [tlsOptions]
+ [tlsOptions.foo]
+ minVersion = "VersionTLS12"
+ cipherSuites = [
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384"
+ ]
+ ```
diff --git a/docs/content/routing/services/index.md b/docs/content/routing/services/index.md
index cb4aca7dd..b3fc7c03d 100644
--- a/docs/content/routing/services/index.md
+++ b/docs/content/routing/services/index.md
@@ -14,14 +14,11 @@ The `Services` are responsible for configuring how to reach the actual services
```toml
[http.services]
[http.services.my-service.LoadBalancer]
- method = "wrr" # Load Balancing based on weights
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
- weight = 30 # 30% of the requests will go to that instance
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-2/"
- weight = 70 # 70% of the requests will go to that instance
```
??? example "Declaring a TCP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
@@ -52,21 +49,17 @@ The load balancers are able to load balance the requests between multiple instan
```toml
[http.services]
[http.services.my-service.LoadBalancer]
- method = "wrr" # Load Balancing based on weights
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
- weight = 50 # 50% of the requests will go to that instance
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-2/"
- weight = 50 # 50% of the requests will go to that instance
```
#### Servers
Servers declare a single instance of your program.
The `url` option point to a specific instance.
-The `weight` option defines the weight of the server for the load balancing algorithm.
!!! note
Paths in the servers' `url` have no effet.
@@ -80,28 +73,21 @@ The `weight` option defines the weight of the server for the load balancing algo
[http.services.my-service.LoadBalancer]
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
- weight = 1
```
#### Load-balancing
-Various methods of load balancing are supported:
+For now, only round robin load balancing is supported:
-- `wrr`: Weighted Round Robin.
-- `drr`: Dynamic Round Robin: increases weights on servers that perform better than others (rolls back to original weights when the server list is updated)
-
-??? example "Load Balancing Using DRR -- Using the [File Provider](../../providers/file.md)"
+??? example "Load Balancing -- Using the [File Provider](../../providers/file.md)"
```toml
[http.services]
[http.services.my-service.LoadBalancer]
- method = "drr"
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
- weight = 1
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
- weight = 1
```
#### Sticky sessions
@@ -117,12 +103,18 @@ On subsequent requests, the client is forwarded to the same server.
The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
+!!! note "Secure & HTTPOnly flags"
+
+ By default, the affinity cookie is created without those flags. One however can change that through configuration.
+
??? example "Adding Stickiness"
```toml
[http.services]
[http.services.my-service]
[http.services.my-service.LoadBalancer.stickiness]
+ secureCookie = true
+ httpOnlyCookie = true
```
??? example "Adding Stickiness with a Custom Cookie Name"
@@ -132,6 +124,8 @@ On subsequent requests, the client is forwarded to the same server.
[http.services.my-service]
[http.services.my-service.LoadBalancer.stickiness]
cookieName = "my_stickiness_cookie_name"
+ secureCookie = true
+ httpOnlyCookie = true
```
#### Health Check
@@ -239,7 +233,3 @@ The `address` option (IP:Port) point to a specific instance.
[[tcp.services.my-service.LoadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
-
-!!! note "Weight"
-
- The TCP LoadBalancer is currently a round robin only implementation and doesn't yet support weights.
\ No newline at end of file
diff --git a/docs/content/user-guides/crd-acme/01-crd.yml b/docs/content/user-guides/crd-acme/01-crd.yml
index 45ace3f90..8914ccac1 100644
--- a/docs/content/user-guides/crd-acme/01-crd.yml
+++ b/docs/content/user-guides/crd-acme/01-crd.yml
@@ -12,6 +12,21 @@ spec:
singular: ingressroute
scope: Namespaced
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: ingressroutetcps.traefik.containo.us
+
+spec:
+ group: traefik.containo.us
+ version: v1alpha1
+ names:
+ kind: IngressRouteTCP
+ plural: ingressroutetcps
+ singular: ingressroutetcp
+ scope: Namespaced
+
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
@@ -74,6 +89,14 @@ rules:
- get
- list
- watch
+ - apiGroups:
+ - traefik.containo.us
+ resources:
+ - ingressroutetcps
+ verbs:
+ - get
+ - list
+ - watch
---
kind: ClusterRoleBinding
diff --git a/docs/content/user-guides/crd-acme/03-deployments.yml b/docs/content/user-guides/crd-acme/03-deployments.yml
index 712503a53..52b70d47c 100644
--- a/docs/content/user-guides/crd-acme/03-deployments.yml
+++ b/docs/content/user-guides/crd-acme/03-deployments.yml
@@ -30,8 +30,8 @@ spec:
args:
- --api
- --accesslog
- - --entrypoints=Name:web Address::8000
- - --entrypoints=Name:websecure Address::4443
+ - --entrypoints.web.Address=:8000
+ - --entrypoints.websecure.Address=:4443
- --providers.kubernetescrd
- --providers.kubernetescrd.trace
- --acme
diff --git a/docs/content/user-guides/crd-acme/04-ingressroutes.yml b/docs/content/user-guides/crd-acme/04-ingressroutes.yml
index a2d6ab0ce..04baed826 100644
--- a/docs/content/user-guides/crd-acme/04-ingressroutes.yml
+++ b/docs/content/user-guides/crd-acme/04-ingressroutes.yml
@@ -26,5 +26,5 @@ spec:
services:
- name: whoami
port: 80
- tls:
- secretName: ""
+ # Please note the use of an empty TLS object to enable TLS with Let's Encrypt.
+ tls: {}
diff --git a/docs/content/user-guides/crd-acme/k3s.yml b/docs/content/user-guides/crd-acme/k3s.yml
index 5fe32dfff..6e9042646 100644
--- a/docs/content/user-guides/crd-acme/k3s.yml
+++ b/docs/content/user-guides/crd-acme/k3s.yml
@@ -1,5 +1,5 @@
server:
- image: rancher/k3s:v0.2.0
+ image: rancher/k3s:v0.5.0
command: server --disable-agent --no-deploy traefik
environment:
- K3S_CLUSTER_SECRET=somethingtotallyrandom
@@ -17,7 +17,7 @@ server:
- 6443:6443
node:
- image: rancher/k3s:v0.2.0
+ image: rancher/k3s:v0.5.0
privileged: true
links:
- server
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 7eb33dba7..6dfbe7488 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -85,8 +85,9 @@ nav:
- 'Routers': 'routing/routers/index.md'
- 'Services': 'routing/services/index.md'
- 'HTTPS & TLS':
- - 'Overview': 'https-tls/overview.md'
- - 'ACME': 'https-tls/acme.md'
+ - 'Overview': 'https/overview.md'
+ - 'TLS': 'https/tls.md'
+ - 'Let''s Encrypt': 'https/acme.md'
- 'Middlewares':
- 'Overview': 'middlewares/overview.md'
- 'AddPrefix': 'middlewares/addprefix.md'
@@ -113,8 +114,8 @@ nav:
- 'Operations':
- 'CLI': 'operations/cli.md'
- 'Dashboard' : 'operations/dashboard.md'
+ - 'API': 'operations/api.md'
- 'Ping': 'operations/ping.md'
- - 'Debug Mode': 'operations/debug-mode.md'
- 'Observability':
- 'Logs': 'observability/logs.md'
- 'Access Logs': 'observability/access-logs.md'
@@ -133,7 +134,11 @@ nav:
- 'Maintainers': 'contributing/maintainers.md'
- 'Glossary': 'glossary.md'
- 'References':
- - 'Static Configuration': 'reference/static-configuration.md'
+ - 'Static Configuration':
+ - 'Overview': 'reference/static-configuration/overview.md'
+ - 'File': 'reference/static-configuration/file.md'
+ - 'CLI': 'reference/static-configuration/cli.md'
+ - 'Environment variables': 'reference/static-configuration/env.md'
- 'Dynamic Configuration':
- 'Docker': 'reference/dynamic-configuration/docker.md'
- 'Kubernetes CRD': 'reference/dynamic-configuration/kubernetes-crd.md'
diff --git a/docs/theme/main.html b/docs/theme/main.html
index 72bfe5a13..a8e704e40 100644
--- a/docs/theme/main.html
+++ b/docs/theme/main.html
@@ -19,9 +19,9 @@
{% endif %}
powered by
- MkDocs
+ MkDocs
and
-
Material for MkDocs
diff --git a/integration/access_log_test.go b/integration/access_log_test.go
index 606f774bb..0dee57484 100644
--- a/integration/access_log_test.go
+++ b/integration/access_log_test.go
@@ -581,7 +581,7 @@ func CheckAccessLogFormat(c *check.C, line string, i int) {
c.Assert(results, checker.HasLen, 14)
c.Assert(results[accesslog.OriginStatus], checker.Matches, `^(-|\d{3})$`)
c.Assert(results[accesslog.RequestCount], checker.Equals, fmt.Sprintf("%d", i+1))
- c.Assert(results[accesslog.RouterName], checker.HasPrefix, "\"docker.rt-")
+ c.Assert(results[accesslog.RouterName], checker.HasPrefix, "\"docker@rt-")
c.Assert(results[accesslog.ServiceURL], checker.HasPrefix, "\"http://")
c.Assert(results[accesslog.Duration], checker.Matches, `^\d+ms$`)
}
@@ -596,14 +596,14 @@ func checkAccessLogExactValues(c *check.C, line string, i int, v accessLogValue)
}
c.Assert(results[accesslog.OriginStatus], checker.Equals, v.code)
c.Assert(results[accesslog.RequestCount], checker.Equals, fmt.Sprintf("%d", i+1))
- c.Assert(results[accesslog.RouterName], checker.Matches, `^"?(docker\.)?`+v.routerName+`.*$`)
+ c.Assert(results[accesslog.RouterName], checker.Matches, `^"?(docker@)?`+v.routerName+`.*$`)
c.Assert(results[accesslog.ServiceURL], checker.Matches, `^"?`+v.serviceURL+`.*$`)
c.Assert(results[accesslog.Duration], checker.Matches, `^\d+ms$`)
}
func waitForTraefik(c *check.C, containerName string) {
// Wait for Traefik to turn ready.
- req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080/api/providers/docker/routers", nil)
+ req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080/api/rawdata", nil)
c.Assert(err, checker.IsNil)
err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains(containerName))
diff --git a/integration/acme_test.go b/integration/acme_test.go
index 8ea4bba10..6b72a95f8 100644
--- a/integration/acme_test.go
+++ b/integration/acme_test.go
@@ -333,7 +333,7 @@ func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
defer cmd.Process.Kill()
// Expected traefik works
- err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
}
diff --git a/integration/docker_compose_test.go b/integration/docker_compose_test.go
index bd156b0b9..8e39fafd9 100644
--- a/integration/docker_compose_test.go
+++ b/integration/docker_compose_test.go
@@ -62,27 +62,23 @@ func (s *DockerComposeSuite) TestComposeScale(c *check.C) {
_, err = try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
c.Assert(err, checker.IsNil)
- resp, err := http.Get("http://127.0.0.1:8080/api/providers/docker/services")
+ resp, err := http.Get("http://127.0.0.1:8080/api/rawdata")
c.Assert(err, checker.IsNil)
defer resp.Body.Close()
- var services []api.ServiceRepresentation
- err = json.NewDecoder(resp.Body).Decode(&services)
- c.Assert(err, checker.IsNil)
-
- // check that we have only one service with n servers
- c.Assert(services, checker.HasLen, 1)
- c.Assert(services[0].ID, checker.Equals, composeService+"_integrationtest"+composeProject)
- c.Assert(services[0].LoadBalancer.Servers, checker.HasLen, serviceCount)
-
- resp, err = http.Get("http://127.0.0.1:8080/api/providers/docker/routers")
- c.Assert(err, checker.IsNil)
- defer resp.Body.Close()
-
- var routers []api.RouterRepresentation
- err = json.NewDecoder(resp.Body).Decode(&routers)
+ var rtconf api.RunTimeRepresentation
+ err = json.NewDecoder(resp.Body).Decode(&rtconf)
c.Assert(err, checker.IsNil)
// check that we have only one router
- c.Assert(routers, checker.HasLen, 1)
+ c.Assert(rtconf.Routers, checker.HasLen, 1)
+
+ // check that we have only one service with n servers
+ services := rtconf.Services
+ c.Assert(services, checker.HasLen, 1)
+ for k, v := range services {
+ c.Assert(k, checker.Equals, "docker@"+composeService+"_integrationtest"+composeProject)
+ c.Assert(v.LoadBalancer.Servers, checker.HasLen, serviceCount)
+ // We could break here, but we don't just to keep us honest.
+ }
}
diff --git a/integration/docker_test.go b/integration/docker_test.go
index 78187f53d..b60a5d0c0 100644
--- a/integration/docker_test.go
+++ b/integration/docker_test.go
@@ -315,7 +315,7 @@ func (s *DockerSuite) TestRestartDockerContainers(c *check.C) {
c.Assert(json.Unmarshal(body, &version), checker.IsNil)
c.Assert(version["Version"], checker.Equals, "swarm/1.0.0")
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/services", 60*time.Second, try.BodyContains("powpow"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("powpow"))
c.Assert(err, checker.IsNil)
s.stopAndRemoveContainerByName(c, "powpow")
@@ -323,11 +323,11 @@ func (s *DockerSuite) TestRestartDockerContainers(c *check.C) {
time.Sleep(5 * time.Second)
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/services", 10*time.Second, try.BodyContains("powpow"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("powpow"))
c.Assert(err, checker.NotNil)
s.startContainerWithNameAndLabels(c, "powpow", "swarm:1.0.0", labels, "manage", "token://blabla")
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/services", 60*time.Second, try.BodyContains("powpow"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("powpow"))
c.Assert(err, checker.IsNil)
}
diff --git a/integration/fixtures/acme/acme_base.toml b/integration/fixtures/acme/acme_base.toml
index 4f693fb6c..9d7deab1b 100644
--- a/integration/fixtures/acme/acme_base.toml
+++ b/integration/fixtures/acme/acme_base.toml
@@ -46,7 +46,6 @@ level = "DEBUG"
[http.services.test.loadbalancer]
[[http.services.test.loadbalancer.servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[http.routers]
[http.routers.test]
diff --git a/integration/fixtures/acme/acme_tls.toml b/integration/fixtures/acme/acme_tls.toml
index eba84f38d..27280bd74 100644
--- a/integration/fixtures/acme/acme_tls.toml
+++ b/integration/fixtures/acme/acme_tls.toml
@@ -46,7 +46,6 @@ level = "DEBUG"
[http.services.test.loadbalancer]
[[http.services.test.loadbalancer.servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[http.routers]
[http.routers.test]
diff --git a/integration/fixtures/acme/certificates.toml b/integration/fixtures/acme/certificates.toml
index 23efdd0ce..ff1653bfd 100644
--- a/integration/fixtures/acme/certificates.toml
+++ b/integration/fixtures/acme/certificates.toml
@@ -2,7 +2,6 @@
[http.services.test.loadbalancer]
[[http.services.test.loadbalancer.servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[http.routers]
[http.routers.test]
diff --git a/integration/fixtures/docker/simple.toml b/integration/fixtures/docker/simple.toml
index 365533562..767abfd82 100644
--- a/integration/fixtures/docker/simple.toml
+++ b/integration/fixtures/docker/simple.toml
@@ -15,4 +15,4 @@ level = "DEBUG"
[providers.docker]
endpoint = "{{ .DockerHost }}"
defaultRule = "{{ .DefaultRule }}"
- exposedByDefault = true
+ exposedByDefault = true
diff --git a/integration/fixtures/error_pages/error.toml b/integration/fixtures/error_pages/error.toml
index 5d6d10932..c4d6d4c32 100644
--- a/integration/fixtures/error_pages/error.toml
+++ b/integration/fixtures/error_pages/error.toml
@@ -29,9 +29,7 @@ level = "DEBUG"
passHostHeader = true
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:8989474"
- weight = 1
[http.services.error.loadbalancer]
[[http.services.error.loadbalancer.servers]]
url = "http://{{.Server2}}:80"
- weight = 1
diff --git a/integration/fixtures/error_pages/simple.toml b/integration/fixtures/error_pages/simple.toml
index 385def51b..f34230ff2 100644
--- a/integration/fixtures/error_pages/simple.toml
+++ b/integration/fixtures/error_pages/simple.toml
@@ -29,9 +29,7 @@ level = "DEBUG"
passHostHeader = true
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:80"
- weight = 1
[http.services.error.loadbalancer]
[[http.services.error.loadbalancer.servers]]
url = "http://{{.Server2}}:80"
- weight = 1
diff --git a/integration/fixtures/file/dir/simple1.toml b/integration/fixtures/file/dir/simple1.toml
index 3e204d542..0fd29bce1 100644
--- a/integration/fixtures/file/dir/simple1.toml
+++ b/integration/fixtures/file/dir/simple1.toml
@@ -7,4 +7,3 @@
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.2:80"
- weight = 1
diff --git a/integration/fixtures/file/dir/simple2.toml b/integration/fixtures/file/dir/simple2.toml
index 52fec9cb1..b7c92dc0b 100644
--- a/integration/fixtures/file/dir/simple2.toml
+++ b/integration/fixtures/file/dir/simple2.toml
@@ -7,4 +7,3 @@
[http.services.service2.loadbalancer]
[[http.services.service2.loadbalancer.servers]]
url = "http://172.17.0.123:80"
- weight = 1
diff --git a/integration/fixtures/file/simple-hosts.toml b/integration/fixtures/file/simple-hosts.toml
new file mode 100644
index 000000000..2aea9d96b
--- /dev/null
+++ b/integration/fixtures/file/simple-hosts.toml
@@ -0,0 +1,27 @@
+[global]
+checkNewVersion = false
+sendAnonymousUsage = false
+
+[log]
+level = "DEBUG"
+
+[entryPoints]
+ [entryPoints.web]
+ address = ":8000"
+
+[providers]
+ [providers.file]
+
+[http.routers]
+ [http.routers.router1]
+ rule = "Host(`test.localhost`)"
+ service = "service1"
+
+ [http.routers.router2]
+ rule = "Host(`test.foo.localhost.`)"
+ service = "service1"
+
+[http.services]
+ [http.services.service1.loadbalancer]
+ [[http.services.service1.loadbalancer.servers]]
+ URL = "{{.Server}}"
diff --git a/integration/fixtures/file/simple.toml b/integration/fixtures/file/simple.toml
index accd6032d..e152729a2 100644
--- a/integration/fixtures/file/simple.toml
+++ b/integration/fixtures/file/simple.toml
@@ -30,17 +30,12 @@ level = "DEBUG"
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.2:80"
- weight = 10
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.3:80"
- weight = 1
-
+
[http.services.service2]
[http.services.service2.loadbalancer]
- method = "drr"
[[http.services.service2.loadbalancer.servers]]
url = "http://172.17.0.4:80"
- weight = 1
[[http.services.service2.loadbalancer.servers]]
url = "http://172.17.0.5:80"
- weight = 2
diff --git a/integration/fixtures/grpc/config.toml b/integration/fixtures/grpc/config.toml
index c88ed6914..2aa10f1c9 100644
--- a/integration/fixtures/grpc/config.toml
+++ b/integration/fixtures/grpc/config.toml
@@ -27,7 +27,6 @@ rootCAs = [ """{{ .CertContent }}""" ]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "https://127.0.0.1:{{ .GRPCServerPort }}"
- weight = 1
[tlsStores.default.DefaultCertificate]
certFile = """{{ .CertContent }}"""
diff --git a/integration/fixtures/grpc/config_h2c.toml b/integration/fixtures/grpc/config_h2c.toml
index e1267ea22..b9d317e39 100644
--- a/integration/fixtures/grpc/config_h2c.toml
+++ b/integration/fixtures/grpc/config_h2c.toml
@@ -23,4 +23,3 @@ level = "DEBUG"
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "h2c://127.0.0.1:{{ .GRPCServerPort }}"
- weight = 1
diff --git a/integration/fixtures/grpc/config_h2c_termination.toml b/integration/fixtures/grpc/config_h2c_termination.toml
index 2533bcc07..2042816b5 100644
--- a/integration/fixtures/grpc/config_h2c_termination.toml
+++ b/integration/fixtures/grpc/config_h2c_termination.toml
@@ -25,7 +25,6 @@ level = "DEBUG"
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "h2c://127.0.0.1:{{ .GRPCServerPort }}"
- weight = 1
[tlsStores.default.DefaultCertificate]
certFile = """{{ .CertContent }}"""
diff --git a/integration/fixtures/grpc/config_insecure.toml b/integration/fixtures/grpc/config_insecure.toml
index 57e5a2499..406f4286a 100644
--- a/integration/fixtures/grpc/config_insecure.toml
+++ b/integration/fixtures/grpc/config_insecure.toml
@@ -27,7 +27,6 @@ insecureSkipVerify = true
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "https://127.0.0.1:{{ .GRPCServerPort }}"
- weight = 1
[tlsStores.default.DefaultCertificate]
certFile = """{{ .CertContent }}"""
diff --git a/integration/fixtures/grpc/config_retry.toml b/integration/fixtures/grpc/config_retry.toml
index b873f724c..0073ca393 100644
--- a/integration/fixtures/grpc/config_retry.toml
+++ b/integration/fixtures/grpc/config_retry.toml
@@ -34,7 +34,6 @@ rootCAs = [ """{{ .CertContent }}""" ]
flushInterval="1ms"
[[http.services.service1.loadbalancer.servers]]
url = "https://127.0.0.1:{{ .GRPCServerPort }}"
- weight = 1
[tlsStores.default.DefaultCertificate]
certFile = """{{ .CertContent }}"""
diff --git a/integration/fixtures/grpc/config_with_flush.toml b/integration/fixtures/grpc/config_with_flush.toml
deleted file mode 100644
index c88ed6914..000000000
--- a/integration/fixtures/grpc/config_with_flush.toml
+++ /dev/null
@@ -1,34 +0,0 @@
-[global]
-checkNewVersion = false
-sendAnonymousUsage = false
-
-[log]
-level = "DEBUG"
-
-[serversTransport]
-rootCAs = [ """{{ .CertContent }}""" ]
-
-[entryPoints]
- [entryPoints.web-secure]
- address = ":4443"
-
-[api]
-
-[providers]
- [providers.file]
-
-[http.routers]
- [http.routers.router1]
- rule = "Host(`127.0.0.1`)"
- service = "service1"
- [http.routers.router1.tls]
-
-[http.services]
- [http.services.service1.loadbalancer]
- [[http.services.service1.loadbalancer.servers]]
- url = "https://127.0.0.1:{{ .GRPCServerPort }}"
- weight = 1
-
-[tlsStores.default.DefaultCertificate]
- certFile = """{{ .CertContent }}"""
- keyFile = """{{ .KeyContent }}"""
diff --git a/integration/fixtures/headers/basic.toml b/integration/fixtures/headers/basic.toml
index a69314e18..750c5375b 100644
--- a/integration/fixtures/headers/basic.toml
+++ b/integration/fixtures/headers/basic.toml
@@ -21,4 +21,3 @@ level = "DEBUG"
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.2:80"
- weight = 1
diff --git a/integration/fixtures/headers/cors.toml b/integration/fixtures/headers/cors.toml
index fde39cd63..91166e52c 100644
--- a/integration/fixtures/headers/cors.toml
+++ b/integration/fixtures/headers/cors.toml
@@ -28,4 +28,3 @@ level = "DEBUG"
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.2:80"
- weight = 1
diff --git a/integration/fixtures/healthcheck/multiple-entrypoints-wrr.toml b/integration/fixtures/healthcheck/multiple-entrypoints-wrr.toml
deleted file mode 100644
index ca2e261f6..000000000
--- a/integration/fixtures/healthcheck/multiple-entrypoints-wrr.toml
+++ /dev/null
@@ -1,36 +0,0 @@
-[global]
-checkNewVersion = false
-sendAnonymousUsage = false
-
-[log]
-level = "DEBUG"
-
-[entryPoints]
- [entryPoints.http1]
- address = ":8000"
- [entryPoints.http2]
- address = ":9000"
-
-[api]
-
-[providers]
- [providers.file]
-
-[http.routers]
- [http.routers.router1]
- service = "service1"
- Rule = "Host(`test.localhost`)"
-
-[http.services]
- [http.services.service1.loadbalancer]
- method = "wrr"
- [http.services.service1.loadbalancer.healthcheck]
- path = "/health"
- interval = "1s"
- timeout = "0.9s"
- [[http.services.service1.loadbalancer.servers]]
- url = "http://{{.Server1}}:80"
- weight = 1
- [[http.services.service1.loadbalancer.servers]]
- url = "http://{{.Server2}}:80"
- weight = 1
diff --git a/integration/fixtures/healthcheck/multiple-entrypoints-drr.toml b/integration/fixtures/healthcheck/multiple-entrypoints.toml
similarity index 92%
rename from integration/fixtures/healthcheck/multiple-entrypoints-drr.toml
rename to integration/fixtures/healthcheck/multiple-entrypoints.toml
index eb8fb1e22..42b11861c 100644
--- a/integration/fixtures/healthcheck/multiple-entrypoints-drr.toml
+++ b/integration/fixtures/healthcheck/multiple-entrypoints.toml
@@ -23,14 +23,11 @@ level = "DEBUG"
[http.services]
[http.services.service1.loadbalancer]
- method = "drr"
[http.services.service1.loadbalancer.healthcheck]
path = "/health"
interval = "1s"
timeout = "0.9s"
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:80"
- weight = 1
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server2}}:80"
- weight = 1
diff --git a/integration/fixtures/healthcheck/port_overload.toml b/integration/fixtures/healthcheck/port_overload.toml
index 138ef9462..8b17a4724 100644
--- a/integration/fixtures/healthcheck/port_overload.toml
+++ b/integration/fixtures/healthcheck/port_overload.toml
@@ -21,7 +21,6 @@ level = "DEBUG"
[http.services]
[http.services.service1.loadbalancer]
- method = "drr"
[http.services.service1.loadbalancer.healthcheck]
path = "/health"
port = 80
@@ -29,4 +28,3 @@ level = "DEBUG"
timeout = "0.9s"
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:81"
- weight = 1
diff --git a/integration/fixtures/healthcheck/simple.toml b/integration/fixtures/healthcheck/simple.toml
index 5bb413241..0e0cea877 100644
--- a/integration/fixtures/healthcheck/simple.toml
+++ b/integration/fixtures/healthcheck/simple.toml
@@ -27,7 +27,5 @@ level = "DEBUG"
timeout = "0.9s"
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:80"
- weight = 1
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server2}}:80"
- weight = 1
diff --git a/integration/fixtures/https/clientca/https_1ca1config.toml b/integration/fixtures/https/clientca/https_1ca1config.toml
index 50755445c..3ee74c690 100644
--- a/integration/fixtures/https/clientca/https_1ca1config.toml
+++ b/integration/fixtures/https/clientca/https_1ca1config.toml
@@ -30,13 +30,11 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9010"
- Weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9020"
- Weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/clientca/https_2ca1config.toml b/integration/fixtures/https/clientca/https_2ca1config.toml
index 1443bb5ad..5497da6cd 100644
--- a/integration/fixtures/https/clientca/https_2ca1config.toml
+++ b/integration/fixtures/https/clientca/https_2ca1config.toml
@@ -30,13 +30,11 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9010"
- Weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9020"
- Weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/clientca/https_2ca2config.toml b/integration/fixtures/https/clientca/https_2ca2config.toml
index 6af488d6c..2b518170d 100644
--- a/integration/fixtures/https/clientca/https_2ca2config.toml
+++ b/integration/fixtures/https/clientca/https_2ca2config.toml
@@ -29,13 +29,11 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9010"
- Weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9020"
- Weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/dynamic_https.toml b/integration/fixtures/https/dynamic_https.toml
index 2c83ffa9d..949b3c4ed 100644
--- a/integration/fixtures/https/dynamic_https.toml
+++ b/integration/fixtures/https/dynamic_https.toml
@@ -14,13 +14,11 @@
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
url = "http://127.0.0.1:9020"
- weight = 1
[[tls]]
# bad certificates to validate the loop on the certificate appending
diff --git a/integration/fixtures/https/dynamic_https_sni_default_cert.toml b/integration/fixtures/https/dynamic_https_sni_default_cert.toml
index e8f4fd768..cb0bd446a 100644
--- a/integration/fixtures/https/dynamic_https_sni_default_cert.toml
+++ b/integration/fixtures/https/dynamic_https_sni_default_cert.toml
@@ -30,7 +30,6 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/https_redirect.toml b/integration/fixtures/https/https_redirect.toml
index 22e184dfa..b072200b1 100644
--- a/integration/fixtures/https/https_redirect.toml
+++ b/integration/fixtures/https/https_redirect.toml
@@ -170,4 +170,3 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
url = "http://127.0.0.1:80"
- weight = 1
diff --git a/integration/fixtures/https/https_sni.toml b/integration/fixtures/https/https_sni.toml
index 5be5d5154..944f11e24 100644
--- a/integration/fixtures/https/https_sni.toml
+++ b/integration/fixtures/https/https_sni.toml
@@ -30,13 +30,11 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9010"
- Weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9020"
- Weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/https_sni_case_insensitive_dynamic.toml b/integration/fixtures/https/https_sni_case_insensitive_dynamic.toml
index 059ba3086..d6501c9cc 100644
--- a/integration/fixtures/https/https_sni_case_insensitive_dynamic.toml
+++ b/integration/fixtures/https/https_sni_case_insensitive_dynamic.toml
@@ -30,7 +30,6 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/https_sni_default_cert.toml b/integration/fixtures/https/https_sni_default_cert.toml
index 0bf10dfcc..b5034dcea 100644
--- a/integration/fixtures/https/https_sni_default_cert.toml
+++ b/integration/fixtures/https/https_sni_default_cert.toml
@@ -30,7 +30,6 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/https/https_sni_strict.toml b/integration/fixtures/https/https_sni_strict.toml
index f24b9cf3b..6cca5d576 100644
--- a/integration/fixtures/https/https_sni_strict.toml
+++ b/integration/fixtures/https/https_sni_strict.toml
@@ -25,7 +25,6 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
url = "http://127.0.0.1:9010"
- weight = 1
[tlsOptions.default]
sniStrict = true
diff --git a/integration/fixtures/https/https_tls_options.toml b/integration/fixtures/https/https_tls_options.toml
new file mode 100644
index 000000000..c0072efcd
--- /dev/null
+++ b/integration/fixtures/https/https_tls_options.toml
@@ -0,0 +1,62 @@
+[global]
+checkNewVersion = false
+sendAnonymousUsage = false
+
+[log]
+level = "DEBUG"
+
+[entryPoints]
+ [entryPoints.web-secure]
+ address = ":4443"
+
+[api]
+
+[providers]
+ [providers.file]
+
+[http.routers]
+ [http.routers.router1]
+ Service = "service1"
+ Rule = "Host(`snitest.com`)"
+ [http.routers.router1.tls]
+ options = "foo"
+
+ [http.routers.router2]
+ Service = "service2"
+ Rule = "Host(`snitest.org`)"
+ [http.routers.router2.tls]
+ options = "bar"
+
+ [http.routers.router3]
+ Service = "service2"
+ Rule = "Host(`snitest.org`)"
+ [http.routers.router3.tls]
+ options = "unknown"
+
+[http.services]
+ [http.services.service1]
+ [http.services.service1.LoadBalancer]
+ [[http.services.service1.LoadBalancer.Servers]]
+ URL = "http://127.0.0.1:9010"
+
+ [http.services.service2]
+ [http.services.service2.LoadBalancer]
+ [[http.services.service2.LoadBalancer.Servers]]
+ URL = "http://127.0.0.1:9020"
+
+
+[[tls]]
+ [tls.certificate]
+ certFile = "fixtures/https/snitest.com.cert"
+ keyFile = "fixtures/https/snitest.com.key"
+
+[[tls]]
+ [tls.certificate]
+ certFile = "fixtures/https/snitest.org.cert"
+ keyFile = "fixtures/https/snitest.org.key"
+
+[tlsoptions.foo]
+ minversion = "VersionTLS11"
+
+[tlsoptions.bar]
+ minversion = "VersionTLS12"
diff --git a/integration/fixtures/https/rootcas/https.toml b/integration/fixtures/https/rootcas/https.toml
index c3e903387..ef89ac863 100644
--- a/integration/fixtures/https/rootcas/https.toml
+++ b/integration/fixtures/https/rootcas/https.toml
@@ -44,4 +44,3 @@ fblo6RBxUQ==
[[http.services.service1.LoadBalancer.Servers]]
URL = "{{ .BackendHost }}"
- Weight = 1
diff --git a/integration/fixtures/https/rootcas/https_with_file.toml b/integration/fixtures/https/rootcas/https_with_file.toml
index 661e441a7..efdd2fb6e 100644
--- a/integration/fixtures/https/rootcas/https_with_file.toml
+++ b/integration/fixtures/https/rootcas/https_with_file.toml
@@ -29,4 +29,3 @@ rootCAs = [ "fixtures/https/rootcas/local.crt"]
[[http.services.service1.LoadBalancer.Servers]]
URL = "{{ .BackendHost }}"
- Weight = 1
diff --git a/integration/fixtures/k8s/01-crd.yml b/integration/fixtures/k8s/01-crd.yml
index e8f78d03e..f3992350d 100644
--- a/integration/fixtures/k8s/01-crd.yml
+++ b/integration/fixtures/k8s/01-crd.yml
@@ -26,3 +26,18 @@ spec:
plural: middlewares
singular: middleware
scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: ingressroutetcps.traefik.containo.us
+
+spec:
+ group: traefik.containo.us
+ version: v1alpha1
+ names:
+ kind: IngressRouteTCP
+ plural: ingressroutetcps
+ singular: ingressroutetcp
+ scope: Namespaced
diff --git a/integration/fixtures/k8s/02-services.yml b/integration/fixtures/k8s/02-services.yml
index 20b80f97d..13002c402 100644
--- a/integration/fixtures/k8s/02-services.yml
+++ b/integration/fixtures/k8s/02-services.yml
@@ -39,3 +39,46 @@ spec:
selector:
app: containous
task: whoami
+
+---
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+ name: whoamitcp
+ namespace: default
+ labels:
+ app: containous
+ name: whoamitcp
+
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app: containous
+ task: whoamitcp
+ template:
+ metadata:
+ labels:
+ app: containous
+ task: whoamitcp
+ spec:
+ containers:
+ - name: containouswhoamitcp
+ image: containous/whoamitcp
+ ports:
+ - containerPort: 8080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: whoamitcp
+ namespace: default
+
+spec:
+ ports:
+ - name: footcp
+ port: 8080
+ selector:
+ app: containous
+ task: whoamitcp
diff --git a/integration/fixtures/k8s/05-ingressroutetcp.yml b/integration/fixtures/k8s/05-ingressroutetcp.yml
new file mode 100644
index 000000000..ec84bd21b
--- /dev/null
+++ b/integration/fixtures/k8s/05-ingressroutetcp.yml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+ name: test3.crd
+ namespace: default
+
+spec:
+ entryPoints:
+ - footcp
+ routes:
+ - match: HostSNI(`*`)
+ services:
+ - name: whoamitcp
+ port: 8080
diff --git a/integration/fixtures/k8s_crd.toml b/integration/fixtures/k8s_crd.toml
index 787403409..d34f6a03a 100644
--- a/integration/fixtures/k8s_crd.toml
+++ b/integration/fixtures/k8s_crd.toml
@@ -8,6 +8,9 @@ level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
+ [entryPoints.footcp]
+ address = ":8093"
+
[api]
diff --git a/integration/fixtures/log_rotation_config.toml b/integration/fixtures/log_rotation_config.toml
index 95dee4997..bc2e429ce 100644
--- a/integration/fixtures/log_rotation_config.toml
+++ b/integration/fixtures/log_rotation_config.toml
@@ -35,4 +35,3 @@ entryPoint = "api"
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:8081"
- Weight = 1
diff --git a/integration/fixtures/multiple_provider.toml b/integration/fixtures/multiple_provider.toml
index d0bb8f653..6e8cc4979 100644
--- a/integration/fixtures/multiple_provider.toml
+++ b/integration/fixtures/multiple_provider.toml
@@ -30,4 +30,3 @@ level = "DEBUG"
[[http.services.service-test.LoadBalancer.Servers]]
URL = "http://{{ .IP }}"
- Weight = 1
diff --git a/integration/fixtures/multiprovider.toml b/integration/fixtures/multiprovider.toml
index cc03d5d1f..3184a5a1f 100644
--- a/integration/fixtures/multiprovider.toml
+++ b/integration/fixtures/multiprovider.toml
@@ -22,7 +22,6 @@ level = "DEBUG"
[[http.services.service.LoadBalancer.Servers]]
URL = "{{.Server}}"
- Weight = 1
[http.middlewares]
[http.middlewares.customheader.Headers.CustomRequestHeaders]
X-Custom="CustomValue"
diff --git a/integration/fixtures/proxy-protocol/with.toml b/integration/fixtures/proxy-protocol/with.toml
index 1d75abb4d..5f853093d 100644
--- a/integration/fixtures/proxy-protocol/with.toml
+++ b/integration/fixtures/proxy-protocol/with.toml
@@ -27,4 +27,3 @@ level = "DEBUG"
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://{{.WhoamiIP}}"
- Weight = 1
diff --git a/integration/fixtures/proxy-protocol/without.toml b/integration/fixtures/proxy-protocol/without.toml
index 3baeae411..f4c12fcdd 100644
--- a/integration/fixtures/proxy-protocol/without.toml
+++ b/integration/fixtures/proxy-protocol/without.toml
@@ -27,4 +27,3 @@ level = "DEBUG"
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://{{.WhoamiIP}}"
- Weight = 1
diff --git a/integration/fixtures/ratelimit/simple.toml b/integration/fixtures/ratelimit/simple.toml
index 12f588d29..cfd7a888c 100644
--- a/integration/fixtures/ratelimit/simple.toml
+++ b/integration/fixtures/ratelimit/simple.toml
@@ -2,12 +2,19 @@
checkNewVersion = false
sendAnonymousUsage = false
+[api]
+entrypoint="api"
+
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
- address = ":80"
+ address = ":8081"
+
+
+ [entryPoints.api]
+ address = ":8080"
[providers]
[providers.file]
@@ -36,4 +43,3 @@ level = "DEBUG"
passHostHeader = true
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://{{.Server1}}:80"
- Weight = 1
diff --git a/integration/fixtures/reqacceptgrace.toml b/integration/fixtures/reqacceptgrace.toml
index 260760b8e..61069237d 100644
--- a/integration/fixtures/reqacceptgrace.toml
+++ b/integration/fixtures/reqacceptgrace.toml
@@ -32,5 +32,4 @@ level = "DEBUG"
[[http.services.service.LoadBalancer.Servers]]
URL = "{{.Server}}"
- Weight = 1
diff --git a/integration/fixtures/retry/simple.toml b/integration/fixtures/retry/simple.toml
index ad94b47d1..44f4a2577 100644
--- a/integration/fixtures/retry/simple.toml
+++ b/integration/fixtures/retry/simple.toml
@@ -29,8 +29,6 @@ level = "DEBUG"
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://{{.WhoamiEndpoint}}:8080"
- Weight = 1
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://{{.WhoamiEndpoint}}:80"
- Weight = 1
diff --git a/integration/fixtures/simple_auth.toml b/integration/fixtures/simple_auth.toml
index b8beb0994..2bf04f6d6 100644
--- a/integration/fixtures/simple_auth.toml
+++ b/integration/fixtures/simple_auth.toml
@@ -13,7 +13,7 @@ level = "DEBUG"
address = ":8001"
[api]
- middlewares = ["file.authentication"]
+ middlewares = ["file@authentication"]
[ping]
diff --git a/integration/fixtures/simple_stats.toml b/integration/fixtures/simple_stats.toml
index 808a2635d..f2202d92c 100644
--- a/integration/fixtures/simple_stats.toml
+++ b/integration/fixtures/simple_stats.toml
@@ -30,10 +30,8 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "{{ .Server1 }}"
- Weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "{{ .Server2 }}"
- Weight = 1
diff --git a/integration/fixtures/simple_whitelist.toml b/integration/fixtures/simple_whitelist.toml
index 272e634a2..a6a456664 100644
--- a/integration/fixtures/simple_whitelist.toml
+++ b/integration/fixtures/simple_whitelist.toml
@@ -10,8 +10,6 @@ level = "DEBUG"
address = ":8000"
[entryPoints.web.ForwardedHeaders]
insecure=true
- [entryPoints.web.ClientIPStrategy]
- depth=2
[api]
diff --git a/integration/fixtures/tcp/catch-all-no-tls-with-https.toml b/integration/fixtures/tcp/catch-all-no-tls-with-https.toml
new file mode 100644
index 000000000..da1c0b62e
--- /dev/null
+++ b/integration/fixtures/tcp/catch-all-no-tls-with-https.toml
@@ -0,0 +1,40 @@
+[global]
+checkNewVersion = false
+sendAnonymousUsage = false
+
+[log]
+level = "DEBUG"
+
+[entryPoints]
+ [entryPoints.tcp]
+ address = ":8093"
+
+[api]
+
+[providers.file]
+
+[tcp]
+ [tcp.routers]
+ [tcp.routers.to-whoami-no-tls]
+ entryPoints = ["tcp"]
+ rule="HostSNI(`*`)"
+ service = "whoami-no-tls"
+
+ [tcp.services]
+ [tcp.services.whoami-no-tls.loadbalancer]
+ [[tcp.services.whoami-no-tls.loadbalancer.servers]]
+ address = "localhost:8086"
+
+[http]
+ [http.routers]
+ [http.routers.to-whoami]
+ entryPoints = ["tcp"]
+ rule="PathPrefix(`/`)"
+ service = "whoami"
+ [http.routers.to-whoami.tls]
+
+
+ [http.services]
+ [http.services.whoami.loadbalancer]
+ [[http.services.whoami.loadbalancer.servers]]
+ url = "http://localhost:8085"
diff --git a/integration/fixtures/tcp/catch-all-no-tls.toml b/integration/fixtures/tcp/catch-all-no-tls.toml
new file mode 100644
index 000000000..6bd5fd5d0
--- /dev/null
+++ b/integration/fixtures/tcp/catch-all-no-tls.toml
@@ -0,0 +1,26 @@
+[global]
+checkNewVersion = false
+sendAnonymousUsage = false
+
+[log]
+level = "DEBUG"
+
+[entryPoints]
+ [entryPoints.tcp]
+ address = ":8093"
+
+[api]
+
+[providers.file]
+
+[tcp]
+ [tcp.routers]
+ [tcp.routers.to-whoami-no-tls]
+ entryPoints = ["tcp"]
+ rule="HostSNI(`*`)"
+ service = "whoami-no-tls"
+
+ [tcp.services]
+ [tcp.services.whoami-no-tls.loadbalancer]
+ [[tcp.services.whoami-no-tls.loadbalancer.servers]]
+ address = "localhost:8086"
diff --git a/integration/fixtures/tcp/mixed.toml b/integration/fixtures/tcp/mixed.toml
index 3116d7df9..8a73f837c 100644
--- a/integration/fixtures/tcp/mixed.toml
+++ b/integration/fixtures/tcp/mixed.toml
@@ -30,7 +30,6 @@ level = "DEBUG"
[http.services.whoami.loadbalancer]
[[http.services.whoami.loadbalancer.servers]]
url = "http://localhost:8085"
- weight=1
[tcp]
[tcp.routers]
[tcp.routers.to-whoami-a]
@@ -53,26 +52,17 @@ level = "DEBUG"
entryPoints = [ "tcp" ]
[tcp.routers.to-whoami-no-cert.tls]
- [tcp.services.whoami-a]
- [tcp.services.whoami-a.loadbalancer]
- method = "wrr"
- [[tcp.services.whoami-a.loadbalancer.servers]]
+ [tcp.services.whoami-a.loadbalancer]
+ [[tcp.services.whoami-a.loadbalancer.servers]]
address = "localhost:8081"
- weight = 1
- [tcp.services.whoami-b]
- [tcp.services.whoami-b.loadbalancer]
- method = "wrr"
- [[tcp.services.whoami-b.loadbalancer.servers]]
+ [tcp.services.whoami-b.loadbalancer]
+ [[tcp.services.whoami-b.loadbalancer.servers]]
address = "localhost:8082"
- weight = 1
- [tcp.services.whoami-no-cert]
- [tcp.services.whoami-no-cert.loadbalancer]
- method = "wrr"
- [[tcp.services.whoami-no-cert.loadbalancer.servers]]
+ [tcp.services.whoami-no-cert.loadbalancer]
+ [[tcp.services.whoami-no-cert.loadbalancer.servers]]
address = "localhost:8083"
- weight = 1
[[tls]]
[tls.certificate]
diff --git a/integration/fixtures/tcp/multi-tls-options.toml b/integration/fixtures/tcp/multi-tls-options.toml
new file mode 100644
index 000000000..36b75fc67
--- /dev/null
+++ b/integration/fixtures/tcp/multi-tls-options.toml
@@ -0,0 +1,42 @@
+[global]
+checkNewVersion = false
+sendAnonymousUsage = false
+
+[log]
+level = "DEBUG"
+
+[entryPoints]
+ [entryPoints.tcp]
+ address = ":8093"
+
+[api]
+
+[providers.file]
+
+[tcp]
+ [tcp.routers]
+ [tcp.routers.to-whoami-no-cert]
+ rule = "HostSNI(`whoami-c.test`)"
+ service = "whoami-no-cert"
+ entryPoints = [ "tcp" ]
+ [tcp.routers.to-whoami-no-cert.tls]
+ options = "foo"
+
+ [tcp.routers.to-whoami-sni-strict]
+ rule = "HostSNI(`whoami-d.test`)"
+ service = "whoami-no-cert"
+ entryPoints = [ "tcp" ]
+ [tcp.routers.to-whoami-sni-strict.tls]
+ options = "bar"
+
+ [tcp.services.whoami-no-cert]
+ [tcp.services.whoami-no-cert.loadbalancer]
+ method = "wrr"
+ [[tcp.services.whoami-no-cert.loadbalancer.servers]]
+ address = "localhost:8083"
+
+[tlsoptions.foo]
+ minversion = "VersionTLS11"
+
+[tlsoptions.bar]
+ minversion = "VersionTLS12"
diff --git a/integration/fixtures/tcp/non-tls-fallback.toml b/integration/fixtures/tcp/non-tls-fallback.toml
index 99f2c51b8..37ff13045 100644
--- a/integration/fixtures/tcp/non-tls-fallback.toml
+++ b/integration/fixtures/tcp/non-tls-fallback.toml
@@ -45,23 +45,14 @@ level = "DEBUG"
[[tcp.services.whoami-no-tls.loadbalancer.servers]]
address = "localhost:8084"
- [tcp.services.whoami-a]
- [tcp.services.whoami-a.loadbalancer]
- method = "wrr"
- [[tcp.services.whoami-a.loadbalancer.servers]]
- address = "localhost:8081"
- weight = 1
+ [tcp.services.whoami-a.loadbalancer]
+ [[tcp.services.whoami-a.loadbalancer.servers]]
+ address = "localhost:8081"
- [tcp.services.whoami-b]
- [tcp.services.whoami-b.loadbalancer]
- method = "wrr"
- [[tcp.services.whoami-b.loadbalancer.servers]]
- address = "localhost:8082"
- weight = 1
+ [tcp.services.whoami-b.loadbalancer]
+ [[tcp.services.whoami-b.loadbalancer.servers]]
+ address = "localhost:8082"
- [tcp.services.whoami-no-cert]
- [tcp.services.whoami-no-cert.loadbalancer]
- method = "wrr"
- [[tcp.services.whoami-no-cert.loadbalancer.servers]]
- address = "localhost:8083"
- weight = 1
+ [tcp.services.whoami-no-cert.loadbalancer]
+ [[tcp.services.whoami-no-cert.loadbalancer.servers]]
+ address = "localhost:8083"
diff --git a/integration/fixtures/timeout/forwarding_timeouts.toml b/integration/fixtures/timeout/forwarding_timeouts.toml
index 4ceceb446..04d80e14f 100644
--- a/integration/fixtures/timeout/forwarding_timeouts.toml
+++ b/integration/fixtures/timeout/forwarding_timeouts.toml
@@ -35,10 +35,8 @@ level = "DEBUG"
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://50.255.255.1"
- Weight = 1
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://{{.TimeoutEndpoint}}:9000"
- Weight = 1
diff --git a/integration/fixtures/tracing/simple.toml b/integration/fixtures/tracing/simple.toml
index 955f1eebc..40428ddef 100644
--- a/integration/fixtures/tracing/simple.toml
+++ b/integration/fixtures/tracing/simple.toml
@@ -61,18 +61,15 @@ level = "DEBUG"
passHostHeader = true
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
- Weight = 1
[http.services.service2]
passHostHeader = true
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
- Weight = 1
[http.services.service3]
passHostHeader = true
[http.services.service3.LoadBalancer]
[[http.services.service3.LoadBalancer.Servers]]
URL = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
- Weight = 1
diff --git a/integration/fixtures/websocket/config.toml b/integration/fixtures/websocket/config.toml
index fd7f3f9e1..5bd199180 100644
--- a/integration/fixtures/websocket/config.toml
+++ b/integration/fixtures/websocket/config.toml
@@ -25,4 +25,3 @@ level = "DEBUG"
passHostHeader = true
[[http.services.service1.LoadBalancer.Servers]]
URL = "{{ .WebsocketServer }}"
- Weight = 1
diff --git a/integration/fixtures/websocket/config_https.toml b/integration/fixtures/websocket/config_https.toml
index 76de69636..a1e672c20 100644
--- a/integration/fixtures/websocket/config_https.toml
+++ b/integration/fixtures/websocket/config_https.toml
@@ -29,7 +29,6 @@ insecureSkipVerify=true
PassHostHeader = true
[[http.services.service1.LoadBalancer.Servers]]
URL = "{{ .WebsocketServer }}"
- Weight = 1
[tlsStores.default.DefaultCertificate]
certFile = "resources/tls/local.cert"
diff --git a/integration/grpc_test.go b/integration/grpc_test.go
index d46a88932..e2d4c63e3 100644
--- a/integration/grpc_test.go
+++ b/integration/grpc_test.go
@@ -167,7 +167,7 @@ func (s *GRPCSuite) TestGRPC(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var response string
@@ -205,7 +205,7 @@ func (s *GRPCSuite) TestGRPCh2c(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var response string
@@ -247,7 +247,7 @@ func (s *GRPCSuite) TestGRPCh2cTermination(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var response string
@@ -289,7 +289,7 @@ func (s *GRPCSuite) TestGRPCInsecure(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var response string
@@ -336,7 +336,7 @@ func (s *GRPCSuite) TestGRPCBuffer(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var client helloworld.Greeter_StreamExampleClient
client, closer, err := callStreamExampleClientGRPC()
@@ -364,7 +364,6 @@ func (s *GRPCSuite) TestGRPCBuffer(c *check.C) {
func (s *GRPCSuite) TestGRPCBufferWithFlushInterval(c *check.C) {
stopStreamExample := make(chan bool)
-
lis, err := net.Listen("tcp", ":0")
c.Assert(err, check.IsNil)
_, port, err := net.SplitHostPort(lis.Addr().String())
@@ -378,7 +377,7 @@ func (s *GRPCSuite) TestGRPCBufferWithFlushInterval(c *check.C) {
c.Assert(err, check.IsNil)
}()
- file := s.adaptFile(c, "fixtures/grpc/config_with_flush.toml", struct {
+ file := s.adaptFile(c, "fixtures/grpc/config.toml", struct {
CertContent string
KeyContent string
GRPCServerPort string
@@ -396,7 +395,7 @@ func (s *GRPCSuite) TestGRPCBufferWithFlushInterval(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var client helloworld.Greeter_StreamExampleClient
@@ -454,7 +453,7 @@ func (s *GRPCSuite) TestGRPCWithRetry(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
c.Assert(err, check.IsNil)
var response string
diff --git a/integration/healthcheck_test.go b/integration/healthcheck_test.go
index 1729a382f..13fc47860 100644
--- a/integration/healthcheck_test.go
+++ b/integration/healthcheck_test.go
@@ -41,7 +41,7 @@ func (s *HealthCheckSuite) TestSimpleConfiguration(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 60*time.Second, try.BodyContains("Host(`test.localhost`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("Host(`test.localhost`)"))
c.Assert(err, checker.IsNil)
frontendHealthReq, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/health", nil)
@@ -95,16 +95,8 @@ func (s *HealthCheckSuite) TestSimpleConfiguration(c *check.C) {
c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
}
-func (s *HealthCheckSuite) TestMultipleEntrypointsWrr(c *check.C) {
- s.doTestMultipleEntrypoints(c, "fixtures/healthcheck/multiple-entrypoints-wrr.toml")
-}
-
-func (s *HealthCheckSuite) TestMultipleEntrypointsDrr(c *check.C) {
- s.doTestMultipleEntrypoints(c, "fixtures/healthcheck/multiple-entrypoints-drr.toml")
-}
-
-func (s *HealthCheckSuite) doTestMultipleEntrypoints(c *check.C, fixture string) {
- file := s.adaptFile(c, fixture, struct {
+func (s *HealthCheckSuite) TestMultipleEntrypoints(c *check.C) {
+ file := s.adaptFile(c, "fixtures/healthcheck/multiple-entrypoints.toml", struct {
Server1 string
Server2 string
}{s.whoami1IP, s.whoami2IP})
@@ -117,7 +109,7 @@ func (s *HealthCheckSuite) doTestMultipleEntrypoints(c *check.C, fixture string)
defer cmd.Process.Kill()
// Wait for traefik
- err = try.GetRequest("http://localhost:8080/api/providers/file/routers", 60*time.Second, try.BodyContains("Host(`test.localhost`)"))
+ err = try.GetRequest("http://localhost:8080/api/rawdata", 60*time.Second, try.BodyContains("Host(`test.localhost`)"))
c.Assert(err, checker.IsNil)
// Check entrypoint http1
@@ -194,7 +186,7 @@ func (s *HealthCheckSuite) TestPortOverload(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 10*time.Second, try.BodyContains("Host(`test.localhost`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("Host(`test.localhost`)"))
c.Assert(err, checker.IsNil)
frontendHealthReq, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/health", nil)
diff --git a/integration/https_test.go b/integration/https_test.go
index 6ea6041c6..2b43ae673 100644
--- a/integration/https_test.go
+++ b/integration/https_test.go
@@ -32,7 +32,7 @@ func (s *HTTPSSuite) TestWithSNIConfigHandshake(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.org`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.org`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -66,7 +66,7 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
c.Assert(err, checker.IsNil)
backend1 := startTestServer("9010", http.StatusNoContent)
@@ -111,6 +111,90 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
c.Assert(err, checker.IsNil)
}
+// TestWithTLSOptions verifies that traefik routes the requests with the associated tls options.
+func (s *HTTPSSuite) TestWithTLSOptions(c *check.C) {
+ cmd, display := s.traefikCmd(withConfigFile("fixtures/https/https_tls_options.toml"))
+ defer display(c)
+ err := cmd.Start()
+ c.Assert(err, checker.IsNil)
+ defer cmd.Process.Kill()
+
+ // wait for Traefik
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
+ c.Assert(err, checker.IsNil)
+
+ backend1 := startTestServer("9010", http.StatusNoContent)
+ backend2 := startTestServer("9020", http.StatusResetContent)
+ defer backend1.Close()
+ defer backend2.Close()
+
+ err = try.GetRequest(backend1.URL, 1*time.Second, try.StatusCodeIs(http.StatusNoContent))
+ c.Assert(err, checker.IsNil)
+ err = try.GetRequest(backend2.URL, 1*time.Second, try.StatusCodeIs(http.StatusResetContent))
+ c.Assert(err, checker.IsNil)
+
+ tr1 := &http.Transport{
+ TLSClientConfig: &tls.Config{
+ InsecureSkipVerify: true,
+ MaxVersion: tls.VersionTLS11,
+ ServerName: "snitest.com",
+ },
+ }
+
+ tr2 := &http.Transport{
+ TLSClientConfig: &tls.Config{
+ InsecureSkipVerify: true,
+ MaxVersion: tls.VersionTLS12,
+ ServerName: "snitest.org",
+ },
+ }
+
+ tr3 := &http.Transport{
+ TLSClientConfig: &tls.Config{
+ InsecureSkipVerify: true,
+ MaxVersion: tls.VersionTLS11,
+ ServerName: "snitest.org",
+ },
+ }
+
+ // With valid TLS options and request
+ req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
+ c.Assert(err, checker.IsNil)
+ req.Host = tr1.TLSClientConfig.ServerName
+ req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
+ req.Header.Set("Accept", "*/*")
+
+ err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNoContent))
+ c.Assert(err, checker.IsNil)
+
+ // With a valid TLS version
+ req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
+ c.Assert(err, checker.IsNil)
+ req.Host = tr2.TLSClientConfig.ServerName
+ req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
+ req.Header.Set("Accept", "*/*")
+
+ err = try.RequestWithTransport(req, 3*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
+ c.Assert(err, checker.IsNil)
+
+ // With a bad TLS version
+ req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
+ c.Assert(err, checker.IsNil)
+ req.Host = tr3.TLSClientConfig.ServerName
+ req.Header.Set("Host", tr3.TLSClientConfig.ServerName)
+ req.Header.Set("Accept", "*/*")
+ client := http.Client{
+ Transport: tr3,
+ }
+ _, err = client.Do(req)
+ c.Assert(err, checker.NotNil)
+ c.Assert(err.Error(), checker.Contains, "protocol version not supported")
+
+ // with unknown tls option
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("unknown TLS options: unknown"))
+ c.Assert(err, checker.IsNil)
+}
+
// TestWithSNIStrictNotMatchedRequest involves a client sending a SNI hostname of
// "snitest.org", which does not match the CN of 'snitest.com.crt'. The test
// verifies that traefik closes the connection.
@@ -122,7 +206,7 @@ func (s *HTTPSSuite) TestWithSNIStrictNotMatchedRequest(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -146,7 +230,7 @@ func (s *HTTPSSuite) TestWithDefaultCertificate(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -180,7 +264,7 @@ func (s *HTTPSSuite) TestWithDefaultCertificateNoSNI(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -214,7 +298,7 @@ func (s *HTTPSSuite) TestWithOverlappingStaticCertificate(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -249,7 +333,7 @@ func (s *HTTPSSuite) TestWithOverlappingDynamicCertificate(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.com`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -282,7 +366,7 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthentication(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("Host(`snitest.org`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`snitest.org`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -338,7 +422,7 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAs(c *check
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -399,7 +483,7 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAsMultipleF
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`snitest.org`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
@@ -464,7 +548,7 @@ func (s *HTTPSSuite) TestWithRootCAsContentForHTTPSOnBackend(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 1*time.Second, try.BodyContains(backend.URL))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(backend.URL))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8081/ping", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -486,7 +570,7 @@ func (s *HTTPSSuite) TestWithRootCAsFileForHTTPSOnBackend(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 1*time.Second, try.BodyContains(backend.URL))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(backend.URL))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8081/ping", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -544,7 +628,7 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithNoChange(c *check.C) {
}
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`"+tr1.TLSClientConfig.ServerName+"`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`"+tr1.TLSClientConfig.ServerName+"`)"))
c.Assert(err, checker.IsNil)
backend1 := startTestServer("9010", http.StatusNoContent)
@@ -613,7 +697,7 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithChange(c *check.C) {
}
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`"+tr2.TLSClientConfig.ServerName+"`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`"+tr2.TLSClientConfig.ServerName+"`)"))
c.Assert(err, checker.IsNil)
backend1 := startTestServer("9010", http.StatusNoContent)
@@ -676,7 +760,7 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion(c
}
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("Host(`"+tr2.TLSClientConfig.ServerName+"`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`"+tr2.TLSClientConfig.ServerName+"`)"))
c.Assert(err, checker.IsNil)
backend2 := startTestServer("9020", http.StatusResetContent)
@@ -740,7 +824,7 @@ func (s *HTTPSSuite) TestEntrypointHttpsRedirectAndPathModification(c *check.C)
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 5*time.Second, try.BodyContains("Host(`example.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 5*time.Second, try.BodyContains("Host(`example.com`)"))
c.Assert(err, checker.IsNil)
client := &http.Client{
@@ -841,7 +925,7 @@ func (s *HTTPSSuite) TestWithSNIDynamicCaseInsensitive(c *check.C) {
defer cmd.Process.Kill()
// wait for Traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.BodyContains("HostRegexp(`{subdomain:[a-z1-9-]+}.www.snitest.com`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("HostRegexp(`{subdomain:[a-z1-9-]+}.www.snitest.com`)"))
c.Assert(err, checker.IsNil)
tlsConfig := &tls.Config{
diff --git a/integration/integration_test.go b/integration/integration_test.go
index 9429a092f..1355b7767 100644
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -10,6 +10,7 @@ import (
"os"
"os/exec"
"path/filepath"
+ "strings"
"testing"
"text/template"
@@ -144,7 +145,7 @@ func (s *BaseSuite) adaptFile(c *check.C, path string, tempObjects interface{})
c.Assert(err, checker.IsNil)
folder, prefix := filepath.Split(path)
- tmpFile, err := ioutil.TempFile(folder, prefix)
+ tmpFile, err := ioutil.TempFile(folder, strings.TrimSuffix(prefix, filepath.Ext(prefix))+"_*"+filepath.Ext(prefix))
c.Assert(err, checker.IsNil)
defer tmpFile.Close()
diff --git a/integration/k8s_test.go b/integration/k8s_test.go
index f43e5503f..4bb6cb02d 100644
--- a/integration/k8s_test.go
+++ b/integration/k8s_test.go
@@ -1,16 +1,28 @@
package integration
import (
+ "bytes"
+ "encoding/json"
+ "errors"
+ "flag"
+ "fmt"
+ "io"
+ "io/ioutil"
"net/http"
"os"
"path/filepath"
+ "regexp"
"time"
"github.com/containous/traefik/integration/try"
+ "github.com/containous/traefik/pkg/api"
"github.com/go-check/check"
+ "github.com/pmezard/go-difflib/difflib"
checker "github.com/vdemeester/shakers"
)
+var updateExpected = flag.Bool("update_expected", false, "Update expected files in testdata")
+
// K8sSuite
type K8sSuite struct{ BaseSuite }
@@ -48,7 +60,7 @@ func (s *K8sSuite) TearDownSuite(c *check.C) {
}
}
-func (s *K8sSuite) TestIngressSimple(c *check.C) {
+func (s *K8sSuite) TestIngressConfiguration(c *check.C) {
cmd, display := s.traefikCmd(withConfigFile("fixtures/k8s_default.toml"))
defer display(c)
@@ -56,11 +68,10 @@ func (s *K8sSuite) TestIngressSimple(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("Host(`whoami.test`)"))
- c.Assert(err, checker.IsNil)
+ testConfiguration(c, "testdata/rawdata-ingress.json")
}
-func (s *K8sSuite) TestCRDSimple(c *check.C) {
+func (s *K8sSuite) TestCRDConfiguration(c *check.C) {
cmd, display := s.traefikCmd(withConfigFile("fixtures/k8s_crd.toml"))
defer display(c)
@@ -68,15 +79,105 @@ func (s *K8sSuite) TestCRDSimple(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("Host(`foo.com`)"))
- c.Assert(err, checker.IsNil)
-
- err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("PathPrefix(`/tobestripped`)"))
- c.Assert(err, checker.IsNil)
-
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/kubernetescrd/routers", 1*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("default/stripprefix"))
- c.Assert(err, checker.IsNil)
-
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/kubernetescrd/middlewares", 1*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("stripprefix"))
- c.Assert(err, checker.IsNil)
+ testConfiguration(c, "testdata/rawdata-crd.json")
+}
+
+func testConfiguration(c *check.C, path string) {
+ expectedJSON := filepath.FromSlash(path)
+
+ if *updateExpected {
+ fi, err := os.Create(expectedJSON)
+ c.Assert(err, checker.IsNil)
+ err = fi.Close()
+ c.Assert(err, checker.IsNil)
+ }
+
+ var buf bytes.Buffer
+ err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 20*time.Second, try.StatusCodeIs(http.StatusOK), matchesConfig(expectedJSON, &buf))
+
+ if !*updateExpected {
+ if err != nil {
+ c.Error(err)
+ }
+ return
+ }
+
+ if err != nil {
+ c.Logf("In file update mode, got expected error: %v", err)
+ }
+
+ var rtRepr api.RunTimeRepresentation
+ err = json.Unmarshal(buf.Bytes(), &rtRepr)
+ c.Assert(err, checker.IsNil)
+
+ newJSON, err := json.MarshalIndent(rtRepr, "", "\t")
+ c.Assert(err, checker.IsNil)
+
+ err = ioutil.WriteFile(expectedJSON, newJSON, 0644)
+ c.Assert(err, checker.IsNil)
+ c.Errorf("We do not want a passing test in file update mode")
+}
+
+func matchesConfig(wantConfig string, buf *bytes.Buffer) try.ResponseCondition {
+ return func(res *http.Response) error {
+ body, err := ioutil.ReadAll(res.Body)
+ if err != nil {
+ return fmt.Errorf("failed to read response body: %s", err)
+ }
+
+ if err := res.Body.Close(); err != nil {
+ return err
+ }
+
+ var obtained api.RunTimeRepresentation
+ err = json.Unmarshal(body, &obtained)
+ if err != nil {
+ return err
+ }
+
+ if buf != nil {
+ buf.Reset()
+ if _, err := io.Copy(buf, bytes.NewReader(body)); err != nil {
+ return err
+ }
+ }
+
+ got, err := json.MarshalIndent(obtained, "", "\t")
+ if err != nil {
+ return err
+ }
+
+ expected, err := ioutil.ReadFile(wantConfig)
+ if err != nil {
+ return err
+ }
+
+ // The pods IPs are dynamic, so we cannot predict them,
+ // which is why we have to ignore them in the comparison.
+ rxURL := regexp.MustCompile(`"(url|address)":\s+(".*")`)
+ sanitizedExpected := rxURL.ReplaceAll(expected, []byte(`"$1": "XXXX"`))
+ sanitizedGot := rxURL.ReplaceAll(got, []byte(`"$1": "XXXX"`))
+
+ rxServerStatus := regexp.MustCompile(`"http://.*?":\s+(".*")`)
+ sanitizedExpected = rxServerStatus.ReplaceAll(sanitizedExpected, []byte(`"http://XXXX": $1`))
+ sanitizedGot = rxServerStatus.ReplaceAll(sanitizedGot, []byte(`"http://XXXX": $1`))
+
+ if bytes.Equal(sanitizedExpected, sanitizedGot) {
+ return nil
+ }
+
+ diff := difflib.UnifiedDiff{
+ FromFile: "Expected",
+ A: difflib.SplitLines(string(sanitizedExpected)),
+ ToFile: "Got",
+ B: difflib.SplitLines(string(sanitizedGot)),
+ Context: 3,
+ }
+
+ text, err := difflib.GetUnifiedDiffString(diff)
+ if err != nil {
+ return err
+ }
+ return errors.New(text)
+ }
}
diff --git a/integration/ratelimit_test.go b/integration/ratelimit_test.go
index 163744313..204221b80 100644
--- a/integration/ratelimit_test.go
+++ b/integration/ratelimit_test.go
@@ -28,34 +28,38 @@ func (s *RateLimitSuite) TestSimpleConfiguration(c *check.C) {
}{s.ServerIP})
defer os.Remove(file)
- cmd, _ := s.cmdTraefik(withConfigFile(file))
+ cmd, display := s.traefikCmd(withConfigFile(file))
+ defer display(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("ratelimit"))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusTooManyRequests))
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+ c.Assert(err, checker.IsNil)
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusTooManyRequests))
c.Assert(err, checker.IsNil)
// sleep for 4 seconds to be certain the configured time period has elapsed
// then test another request and verify a 200 status code
time.Sleep(4 * time.Second)
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
// continue requests at 3 second intervals to test the other rate limit time period
time.Sleep(3 * time.Second)
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
time.Sleep(3 * time.Second)
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
time.Sleep(3 * time.Second)
- err = try.GetRequest("http://127.0.0.1:80/", 500*time.Millisecond, try.StatusCodeIs(http.StatusTooManyRequests))
+ err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusTooManyRequests))
c.Assert(err, checker.IsNil)
}
diff --git a/integration/resources/compose/access_log.yml b/integration/resources/compose/access_log.yml
index c000a2f01..bd080630e 100644
--- a/integration/resources/compose/access_log.yml
+++ b/integration/resources/compose/access_log.yml
@@ -11,6 +11,7 @@ server1:
- traefik.enable=true
- traefik.http.routers.rt-server1.entryPoints=web
- traefik.http.routers.rt-server1.rule=Host("frontend1.docker.local")
+ - traefik.http.routers.rt-server1.service=service1
- traefik.http.services.service1.loadbalancer.server.port=80
server2:
image: containous/whoami
@@ -19,7 +20,6 @@ server2:
- traefik.http.routers.rt-server2.entryPoints=web
- traefik.http.routers.rt-server2.rule=Host("frontend2.docker.local")
- traefik.http.services.service2.loadbalancer.server.port=80
- - traefik.http.services.service2.loadbalancer.method=drr
server3:
image: containous/whoami
labels:
@@ -27,7 +27,6 @@ server3:
- traefik.http.routers.rt-server3.entryPoints=web
- traefik.http.routers.rt-server3.rule=Host("frontend2.docker.local")
- traefik.http.services.service2.loadbalancer.server.port=80
- - traefik.http.services.service2.loadbalancer.method=drr
authFrontend:
image: containous/whoami
labels:
diff --git a/integration/resources/compose/k8s.yml b/integration/resources/compose/k8s.yml
index 07a860797..d457fc333 100644
--- a/integration/resources/compose/k8s.yml
+++ b/integration/resources/compose/k8s.yml
@@ -1,5 +1,5 @@
server:
- image: rancher/k3s:v0.2.0
+ image: rancher/k3s:v0.5.0
command: server --disable-agent --no-deploy traefik
environment:
- K3S_CLUSTER_SECRET=somethingtotallyrandom
@@ -12,7 +12,7 @@ server:
- 6443:6443
node:
- image: rancher/k3s:v0.2.0
+ image: rancher/k3s:v0.5.0
privileged: true
links:
- server
diff --git a/integration/resources/compose/tcp.yml b/integration/resources/compose/tcp.yml
index 23da94803..11706bb4a 100644
--- a/integration/resources/compose/tcp.yml
+++ b/integration/resources/compose/tcp.yml
@@ -30,3 +30,9 @@ whoami:
image: containous/whoami
ports:
- "8085:80"
+
+whoami-banner:
+ image: containous/whoamitcp
+ command: -name whoami-banner --banner
+ ports:
+ - "8086:8080"
diff --git a/integration/rest_test.go b/integration/rest_test.go
index 5f226bd87..86cad9d90 100644
--- a/integration/rest_test.go
+++ b/integration/rest_test.go
@@ -46,8 +46,7 @@ func (s *RestSuite) TestSimpleConfiguration(c *check.C) {
LoadBalancer: &config.LoadBalancerService{
Servers: []config.Server{
{
- URL: "http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress + ":80",
- Weight: 1,
+ URL: "http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress + ":80",
},
},
},
@@ -65,7 +64,7 @@ func (s *RestSuite) TestSimpleConfiguration(c *check.C) {
c.Assert(err, checker.IsNil)
c.Assert(response.StatusCode, checker.Equals, http.StatusOK)
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/rest/routers", 1000*time.Millisecond, try.BodyContains("PathPrefix(`/`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1000*time.Millisecond, try.BodyContains("PathPrefix(`/`)"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusOK))
diff --git a/integration/retry_test.go b/integration/retry_test.go
index f02bbd074..a2d404d16 100644
--- a/integration/retry_test.go
+++ b/integration/retry_test.go
@@ -31,7 +31,7 @@ func (s *RetrySuite) TestRetry(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 60*time.Second, try.BodyContains("PathPrefix(`/`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("PathPrefix(`/`)"))
c.Assert(err, checker.IsNil)
// This simulates a DialTimeout when connecting to the backend server.
@@ -53,7 +53,7 @@ func (s *RetrySuite) TestRetryWebsocket(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 60*time.Second, try.BodyContains("PathPrefix(`/`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("PathPrefix(`/`)"))
c.Assert(err, checker.IsNil)
// This simulates a DialTimeout when connecting to the backend server.
diff --git a/integration/simple_test.go b/integration/simple_test.go
index e0d72ad04..e949e9c5a 100644
--- a/integration/simple_test.go
+++ b/integration/simple_test.go
@@ -60,7 +60,7 @@ func (s *SimpleSuite) TestWithWebConfig(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
}
@@ -161,7 +161,7 @@ func (s *SimpleSuite) TestApiOnSameEntryPoint(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
- cmd, output := s.traefikCmd("--entryPoints=Name:http Address::8000", "--api.entryPoint=http", "--global.debug", "--providers.docker")
+ cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--api.entryPoint=http", "--log.level=DEBUG", "--providers.docker")
defer output(c)
err := cmd.Start()
@@ -173,10 +173,10 @@ func (s *SimpleSuite) TestApiOnSameEntryPoint(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8000/test", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://127.0.0.1:8000/api/providers/docker", 1*time.Second, try.StatusCodeIs(http.StatusOK))
+ err = try.GetRequest("http://127.0.0.1:8000/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://127.0.0.1:8000/api/providers/docker/routers", 1*time.Second, try.BodyContains("PathPrefix"))
+ err = try.GetRequest("http://127.0.0.1:8000/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -205,7 +205,7 @@ func (s *SimpleSuite) TestStatsWithMultipleEntryPoint(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api", 1*time.Second, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("PathPrefix"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -230,7 +230,7 @@ func (s *SimpleSuite) TestNoAuthOnPing(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8001/api/providers", 2*time.Second, try.StatusCodeIs(http.StatusUnauthorized))
+ err = try.GetRequest("http://127.0.0.1:8001/api/rawdata", 2*time.Second, try.StatusCodeIs(http.StatusUnauthorized))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8001/ping", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -241,14 +241,14 @@ func (s *SimpleSuite) TestDefaultEntrypointHTTP(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
- cmd, output := s.traefikCmd("--entryPoints=Name:http Address::8000", "--global.debug", "--providers.docker", "--api")
+ cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--log.level=DEBUG", "--providers.docker", "--api")
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 1*time.Second, try.BodyContains("PathPrefix"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -259,14 +259,14 @@ func (s *SimpleSuite) TestWithUnexistingEntrypoint(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
- cmd, output := s.traefikCmd("--entryPoints=Name:http Address::8000", "--global.debug", "--providers.docker", "--api")
+ cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--log.level=DEBUG", "--providers.docker", "--api")
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 1*time.Second, try.BodyContains("PathPrefix"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -277,14 +277,14 @@ func (s *SimpleSuite) TestMetricsPrometheusDefaultEntrypoint(c *check.C) {
s.createComposeProject(c, "base")
s.composeProject.Start(c)
- cmd, output := s.traefikCmd("--entryPoints=Name:http Address::8000", "--api", "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0", "--providers.docker", "--global.debug")
+ cmd, output := s.traefikCmd("--entryPoints.http.Address=:8000", "--api", "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0", "--providers.docker", "--log.level=DEBUG")
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 1*time.Second, try.BodyContains("PathPrefix"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.StatusCodeIs(http.StatusOK))
@@ -312,7 +312,7 @@ func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 1*time.Second, try.BodyContains("PathPrefix"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("PathPrefix"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/whoami", 1*time.Second, try.BodyContains(ipWhoami01))
@@ -334,10 +334,10 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 2*time.Second, try.BodyContains("override"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override"))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 2*time.Second, try.BodyContains("override.remoteaddr.whitelist.docker.local"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.whitelist.docker.local"))
c.Assert(err, checker.IsNil)
testCases := []struct {
@@ -346,19 +346,6 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
host string
expectedStatusCode int
}{
- // {
- // desc: "default client ip strategy accept",
- // xForwardedFor: "8.8.8.8,127.0.0.1",
- // host: "no.override.whitelist.docker.local",
- // expectedStatusCode: 200,
- // },
- // FIXME add clientipstrategy and forwarded headers on entrypoint
- // {
- // desc: "default client ip strategy reject",
- // xForwardedFor: "8.8.8.10,127.0.0.1",
- // host: "no.override.whitelist.docker.local",
- // expectedStatusCode: 403,
- // },
{
desc: "override remote addr reject",
xForwardedFor: "8.8.8.8,8.8.8.8",
@@ -415,7 +402,7 @@ func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 2*time.Second,
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second,
try.BodyContains("override.remoteaddr.whitelist.docker.local"))
c.Assert(err, checker.IsNil)
@@ -450,15 +437,15 @@ func (s *SimpleSuite) TestMultiprovider(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 1000*time.Millisecond, try.BodyContains("service"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1000*time.Millisecond, try.BodyContains("service"))
c.Assert(err, checker.IsNil)
config := config.HTTPConfiguration{
Routers: map[string]*config.Router{
"router1": {
EntryPoints: []string{"web"},
- Middlewares: []string{"file.customheader"},
- Service: "file.service",
+ Middlewares: []string{"file@customheader"},
+ Service: "file@service",
Rule: "PathPrefix(`/`)",
},
},
@@ -474,10 +461,61 @@ func (s *SimpleSuite) TestMultiprovider(c *check.C) {
c.Assert(err, checker.IsNil)
c.Assert(response.StatusCode, checker.Equals, http.StatusOK)
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/rest/routers", 1000*time.Millisecond, try.BodyContains("PathPrefix(`/`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1000*time.Millisecond, try.BodyContains("PathPrefix(`/`)"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/", 1*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("CustomValue"))
c.Assert(err, checker.IsNil)
}
+
+func (s *SimpleSuite) TestSimpleConfigurationHostRequestTrailingPeriod(c *check.C) {
+ s.createComposeProject(c, "base")
+ s.composeProject.Start(c)
+
+ server := "http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+
+ file := s.adaptFile(c, "fixtures/file/simple-hosts.toml", struct {
+ Server string
+ }{Server: server})
+ defer os.Remove(file)
+
+ cmd, output := s.traefikCmd(withConfigFile(file))
+ defer output(c)
+
+ err := cmd.Start()
+ c.Assert(err, checker.IsNil)
+ defer cmd.Process.Kill()
+
+ testCases := []struct {
+ desc string
+ requestHost string
+ }{
+ {
+ desc: "Request host without trailing period, rule without trailing period",
+ requestHost: "test.localhost",
+ },
+ {
+ desc: "Request host with trailing period, rule without trailing period",
+ requestHost: "test.localhost.",
+ },
+ {
+ desc: "Request host without trailing period, rule with trailing period",
+ requestHost: "test.foo.localhost",
+ },
+ {
+ desc: "Request host with trailing period, rule with trailing period",
+ requestHost: "test.foo.localhost.",
+ },
+ }
+
+ for _, test := range testCases {
+ req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
+ c.Assert(err, checker.IsNil)
+ req.Host = test.requestHost
+ err = try.Request(req, 1*time.Second, try.StatusCodeIs(http.StatusOK))
+ if err != nil {
+ c.Fatalf("Error while testing %s: %v", test.desc, err)
+ }
+ }
+}
diff --git a/integration/tcp_test.go b/integration/tcp_test.go
index 4b634b5c9..095993166 100644
--- a/integration/tcp_test.go
+++ b/integration/tcp_test.go
@@ -4,6 +4,7 @@ import (
"crypto/tls"
"net"
"net/http"
+ "net/http/httptest"
"os"
"time"
@@ -20,8 +21,7 @@ func (s *TCPSuite) SetUpSuite(c *check.C) {
}
func (s *TCPSuite) TestMixed(c *check.C) {
- file := s.adaptFile(c, "fixtures/tcp/mixed.toml", struct {
- }{})
+ file := s.adaptFile(c, "fixtures/tcp/mixed.toml", struct{}{})
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
@@ -31,20 +31,20 @@ func (s *TCPSuite) TestMixed(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("Path(`/test`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("Path(`/test`)"))
c.Assert(err, checker.IsNil)
- //Traefik passes through, termination handled by whoami-a
+ // Traefik passes through, termination handled by whoami-a
out, err := guessWho("127.0.0.1:8093", "whoami-a.test", true)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-a")
- //Traefik passes through, termination handled by whoami-b
+ // Traefik passes through, termination handled by whoami-b
out, err = guessWho("127.0.0.1:8093", "whoami-b.test", true)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-b")
- //Termination handled by traefik
+ // Termination handled by traefik
out, err = guessWho("127.0.0.1:8093", "whoami-c.test", true)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-no-cert")
@@ -70,9 +70,38 @@ func (s *TCPSuite) TestMixed(c *check.C) {
c.Assert(err, checker.IsNil)
}
+func (s *TCPSuite) TestTLSOptions(c *check.C) {
+ file := s.adaptFile(c, "fixtures/tcp/multi-tls-options.toml", struct{}{})
+ defer os.Remove(file)
+
+ cmd, display := s.traefikCmd(withConfigFile(file))
+ defer display(c)
+
+ err := cmd.Start()
+ c.Assert(err, checker.IsNil)
+ defer cmd.Process.Kill()
+
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`whoami-c.test`)"))
+ c.Assert(err, checker.IsNil)
+
+ // Check that we can use a client tls version <= 1.1 with hostSNI 'whoami-c.test'
+ out, err := guessWhoTLSMaxVersion("127.0.0.1:8093", "whoami-c.test", true, tls.VersionTLS11)
+ c.Assert(err, checker.IsNil)
+ c.Assert(out, checker.Contains, "whoami-no-cert")
+
+ // Check that we can use a client tls version <= 1.2 with hostSNI 'whoami-d.test'
+ out, err = guessWhoTLSMaxVersion("127.0.0.1:8093", "whoami-d.test", true, tls.VersionTLS12)
+ c.Assert(err, checker.IsNil)
+ c.Assert(out, checker.Contains, "whoami-no-cert")
+
+ // Check that we cannot use a client tls version <= 1.1 with hostSNI 'whoami-d.test'
+ _, err = guessWhoTLSMaxVersion("127.0.0.1:8093", "whoami-d.test", true, tls.VersionTLS11)
+ c.Assert(err, checker.NotNil)
+ c.Assert(err.Error(), checker.Contains, "protocol version not supported")
+}
+
func (s *TCPSuite) TestNonTLSFallback(c *check.C) {
- file := s.adaptFile(c, "fixtures/tcp/non-tls-fallback.toml", struct {
- }{})
+ file := s.adaptFile(c, "fixtures/tcp/non-tls-fallback.toml", struct{}{})
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
@@ -85,17 +114,17 @@ func (s *TCPSuite) TestNonTLSFallback(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`*`)"))
c.Assert(err, checker.IsNil)
- //Traefik passes through, termination handled by whoami-a
+ // Traefik passes through, termination handled by whoami-a
out, err := guessWho("127.0.0.1:8093", "whoami-a.test", true)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-a")
- //Traefik passes through, termination handled by whoami-b
+ // Traefik passes through, termination handled by whoami-b
out, err = guessWho("127.0.0.1:8093", "whoami-b.test", true)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-b")
- //Termination handled by traefik
+ // Termination handled by traefik
out, err = guessWho("127.0.0.1:8093", "whoami-c.test", true)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-no-cert")
@@ -106,9 +135,7 @@ func (s *TCPSuite) TestNonTLSFallback(c *check.C) {
}
func (s *TCPSuite) TestNonTlsTcp(c *check.C) {
-
- file := s.adaptFile(c, "fixtures/tcp/non-tls.toml", struct {
- }{})
+ file := s.adaptFile(c, "fixtures/tcp/non-tls.toml", struct{}{})
defer os.Remove(file)
cmd, display := s.traefikCmd(withConfigFile(file))
@@ -121,18 +148,94 @@ func (s *TCPSuite) TestNonTlsTcp(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`*`)"))
c.Assert(err, checker.IsNil)
- //Traefik will forward every requests on the given port to whoami-no-tls
+ // Traefik will forward every requests on the given port to whoami-no-tls
out, err := guessWho("127.0.0.1:8093", "", false)
c.Assert(err, checker.IsNil)
c.Assert(out, checker.Contains, "whoami-no-tls")
}
+func (s *TCPSuite) TestCatchAllNoTLS(c *check.C) {
+ file := s.adaptFile(c, "fixtures/tcp/catch-all-no-tls.toml", struct{}{})
+ defer os.Remove(file)
+
+ cmd, display := s.traefikCmd(withConfigFile(file))
+ defer display(c)
+
+ err := cmd.Start()
+ c.Assert(err, checker.IsNil)
+ defer cmd.Process.Kill()
+
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`*`)"))
+ c.Assert(err, checker.IsNil)
+
+ // Traefik will forward every requests on the given port to whoami-no-tls
+ out, err := welcome("127.0.0.1:8093")
+ c.Assert(err, checker.IsNil)
+ c.Assert(out, checker.Contains, "Welcome")
+}
+
+func (s *TCPSuite) TestCatchAllNoTLSWithHTTPS(c *check.C) {
+ file := s.adaptFile(c, "fixtures/tcp/catch-all-no-tls-with-https.toml", struct{}{})
+ defer os.Remove(file)
+
+ cmd, display := s.traefikCmd(withConfigFile(file))
+ defer display(c)
+
+ err := cmd.Start()
+ c.Assert(err, checker.IsNil)
+ defer cmd.Process.Kill()
+
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`*`)"))
+ c.Assert(err, checker.IsNil)
+
+ req := httptest.NewRequest(http.MethodGet, "https://127.0.0.1:8093/test", nil)
+ req.RequestURI = ""
+
+ err = try.RequestWithTransport(req, 500*time.Millisecond, &http.Transport{
+ TLSClientConfig: &tls.Config{
+ InsecureSkipVerify: true,
+ },
+ }, try.StatusCodeIs(http.StatusOK))
+ c.Assert(err, checker.IsNil)
+}
+
+func welcome(addr string) (string, error) {
+ tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
+ if err != nil {
+ return "", err
+ }
+
+ conn, err := net.DialTCP("tcp", nil, tcpAddr)
+ if err != nil {
+ return "", err
+ }
+ defer conn.Close()
+
+ out := make([]byte, 2048)
+ n, err := conn.Read(out)
+ if err != nil {
+ return "", err
+ }
+
+ return string(out[:n]), nil
+}
+
func guessWho(addr, serverName string, tlsCall bool) (string, error) {
+ return guessWhoTLSMaxVersion(addr, serverName, tlsCall, 0)
+}
+
+func guessWhoTLSMaxVersion(addr, serverName string, tlsCall bool, tlsMaxVersion uint16) (string, error) {
var conn net.Conn
var err error
if tlsCall {
- conn, err = tls.Dial("tcp", addr, &tls.Config{ServerName: serverName, InsecureSkipVerify: true})
+
+ conn, err = tls.Dial("tcp", addr, &tls.Config{
+ ServerName: serverName,
+ InsecureSkipVerify: true,
+ MinVersion: 0,
+ MaxVersion: tlsMaxVersion,
+ })
} else {
tcpAddr, err2 := net.ResolveTCPAddr("tcp", addr)
if err2 != nil {
diff --git a/integration/testdata/rawdata-crd.json b/integration/testdata/rawdata-crd.json
new file mode 100644
index 000000000..708ea5643
--- /dev/null
+++ b/integration/testdata/rawdata-crd.json
@@ -0,0 +1,102 @@
+{
+ "routers": {
+ "kubernetescrd@default/test-crd-6b204d94623b3df4370c": {
+ "entryPoints": [
+ "web"
+ ],
+ "service": "default/test-crd-6b204d94623b3df4370c",
+ "rule": "Host(`foo.com`) \u0026\u0026 PathPrefix(`/bar`)",
+ "priority": 12
+ },
+ "kubernetescrd@default/test2-crd-23c7f4c450289ee29016": {
+ "entryPoints": [
+ "web"
+ ],
+ "middlewares": [
+ "default/stripprefix"
+ ],
+ "service": "default/test2-crd-23c7f4c450289ee29016",
+ "rule": "Host(`foo.com`) \u0026\u0026 PathPrefix(`/tobestripped`)"
+ }
+ },
+ "middlewares": {
+ "kubernetescrd@default/stripprefix": {
+ "stripPrefix": {
+ "prefixes": [
+ "/tobestripped"
+ ]
+ },
+ "usedBy": [
+ "kubernetescrd@default/test2-crd-23c7f4c450289ee29016"
+ ]
+ }
+ },
+ "services": {
+ "kubernetescrd@default/test-crd-6b204d94623b3df4370c": {
+ "loadbalancer": {
+ "servers": [
+ {
+ "url": "http://10.42.0.4:80"
+ },
+ {
+ "url": "http://10.42.0.5:80"
+ }
+ ],
+ "passHostHeader": true
+ },
+ "usedBy": [
+ "kubernetescrd@default/test-crd-6b204d94623b3df4370c"
+ ],
+ "serverStatus": {
+ "http://10.42.0.4:80": "UP",
+ "http://10.42.0.5:80": "UP"
+ }
+ },
+ "kubernetescrd@default/test2-crd-23c7f4c450289ee29016": {
+ "loadbalancer": {
+ "servers": [
+ {
+ "url": "http://10.42.0.4:80"
+ },
+ {
+ "url": "http://10.42.0.5:80"
+ }
+ ],
+ "passHostHeader": true
+ },
+ "usedBy": [
+ "kubernetescrd@default/test2-crd-23c7f4c450289ee29016"
+ ],
+ "serverStatus": {
+ "http://10.42.0.4:80": "UP",
+ "http://10.42.0.5:80": "UP"
+ }
+ }
+ },
+ "tcpRouters": {
+ "kubernetescrd@default/test3-crd-673acf455cb2dab0b43a": {
+ "entryPoints": [
+ "footcp"
+ ],
+ "service": "default/test3-crd-673acf455cb2dab0b43a",
+ "rule": "HostSNI(`*`)"
+ }
+ },
+ "tcpServices": {
+ "kubernetescrd@default/test3-crd-673acf455cb2dab0b43a": {
+ "loadbalancer": {
+ "servers": [
+ {
+ "address": "10.42.0.2:8080"
+ },
+ {
+ "address": "10.42.0.3:8080"
+ }
+ ]
+ },
+ "usedBy": [
+ "kubernetescrd@default/test3-crd-673acf455cb2dab0b43a"
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/integration/testdata/rawdata-ingress.json b/integration/testdata/rawdata-ingress.json
new file mode 100644
index 000000000..0f7bb021f
--- /dev/null
+++ b/integration/testdata/rawdata-ingress.json
@@ -0,0 +1,31 @@
+{
+ "routers": {
+ "kubernetes@whoami-test/whoami": {
+ "entryPoints": null,
+ "service": "default/whoami/http",
+ "rule": "Host(`whoami.test`) \u0026\u0026 PathPrefix(`/whoami`)"
+ }
+ },
+ "services": {
+ "kubernetes@default/whoami/http": {
+ "loadbalancer": {
+ "servers": [
+ {
+ "url": "http://10.42.0.2:80"
+ },
+ {
+ "url": "http://10.42.0.5:80"
+ }
+ ],
+ "passHostHeader": true
+ },
+ "usedBy": [
+ "kubernetes@whoami-test/whoami"
+ ],
+ "serverStatus": {
+ "http://10.42.0.2:80": "UP",
+ "http://10.42.0.5:80": "UP"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/integration/timeout_test.go b/integration/timeout_test.go
index d45d59abc..43db8761c 100644
--- a/integration/timeout_test.go
+++ b/integration/timeout_test.go
@@ -31,7 +31,7 @@ func (s *TimeoutSuite) TestForwardingTimeouts(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/routers", 60*time.Second, try.BodyContains("Path(`/dialTimeout`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("Path(`/dialTimeout`)"))
c.Assert(err, checker.IsNil)
// This simulates a DialTimeout when connecting to the backend server.
diff --git a/integration/tls_client_headers_test.go b/integration/tls_client_headers_test.go
index 83ba22add..f46ed660d 100644
--- a/integration/tls_client_headers_test.go
+++ b/integration/tls_client_headers_test.go
@@ -50,7 +50,7 @@ func (s *TLSClientHeadersSuite) TestTLSClientHeaders(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/docker/routers", 2*time.Second, try.BodyContains("PathPrefix(`/`)"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("PathPrefix(`/`)"))
c.Assert(err, checker.IsNil)
request, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:8443", nil)
diff --git a/integration/tracing_test.go b/integration/tracing_test.go
index 5bd8b8a43..652ac04f7 100644
--- a/integration/tracing_test.go
+++ b/integration/tracing_test.go
@@ -59,6 +59,10 @@ func (s *TracingSuite) TestZipkinRateLimit(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
+ // wait for traefik
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", time.Second, try.BodyContains("basic-auth"))
+ c.Assert(err, checker.IsNil)
+
err = try.GetRequest("http://127.0.0.1:8000/ratelimit", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8000/ratelimit", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
@@ -85,7 +89,7 @@ func (s *TracingSuite) TestZipkinRateLimit(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8000/ratelimit", 500*time.Millisecond, try.StatusCodeIs(http.StatusTooManyRequests))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://"+s.ZipkinIP+":9411/api/v2/spans?serviceName=tracing", 20*time.Second, try.BodyContains("forward service1/file.router1", "file.ratelimit"))
+ err = try.GetRequest("http://"+s.ZipkinIP+":9411/api/v2/spans?serviceName=tracing", 20*time.Second, try.BodyContains("forward service1/file@router1", "file@ratelimit"))
c.Assert(err, checker.IsNil)
}
@@ -106,10 +110,14 @@ func (s *TracingSuite) TestZipkinRetry(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
+ // wait for traefik
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", time.Second, try.BodyContains("basic-auth"))
+ c.Assert(err, checker.IsNil)
+
err = try.GetRequest("http://127.0.0.1:8000/retry", 500*time.Millisecond, try.StatusCodeIs(http.StatusBadGateway))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://"+s.ZipkinIP+":9411/api/v2/spans?serviceName=tracing", 20*time.Second, try.BodyContains("forward service2/file.router2", "file.retry"))
+ err = try.GetRequest("http://"+s.ZipkinIP+":9411/api/v2/spans?serviceName=tracing", 20*time.Second, try.BodyContains("forward service2/file@router2", "file@retry"))
c.Assert(err, checker.IsNil)
}
@@ -129,9 +137,13 @@ func (s *TracingSuite) TestZipkinAuth(c *check.C) {
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
+ // wait for traefik
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", time.Second, try.BodyContains("basic-auth"))
+ c.Assert(err, checker.IsNil)
+
err = try.GetRequest("http://127.0.0.1:8000/auth", 500*time.Millisecond, try.StatusCodeIs(http.StatusUnauthorized))
c.Assert(err, checker.IsNil)
- err = try.GetRequest("http://"+s.ZipkinIP+":9411/api/v2/spans?serviceName=tracing", 20*time.Second, try.BodyContains("entrypoint web", "file.basic-auth"))
+ err = try.GetRequest("http://"+s.ZipkinIP+":9411/api/v2/spans?serviceName=tracing", 20*time.Second, try.BodyContains("entrypoint web", "file@basic-auth"))
c.Assert(err, checker.IsNil)
}
diff --git a/integration/websocket_test.go b/integration/websocket_test.go
index a117ce01d..ef83c88bf 100644
--- a/integration/websocket_test.go
+++ b/integration/websocket_test.go
@@ -49,7 +49,7 @@ func (s *WebsocketSuite) TestBase(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -57,7 +57,7 @@ func (s *WebsocketSuite) TestBase(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
conn, _, err := gorillawebsocket.DefaultDialer.Dial("ws://127.0.0.1:8000/ws", nil)
@@ -99,7 +99,7 @@ func (s *WebsocketSuite) TestWrongOrigin(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -107,7 +107,7 @@ func (s *WebsocketSuite) TestWrongOrigin(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
config, err := websocket.NewConfig("ws://127.0.0.1:8000/ws", "ws://127.0.0.1:800")
@@ -149,7 +149,7 @@ func (s *WebsocketSuite) TestOrigin(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -157,7 +157,7 @@ func (s *WebsocketSuite) TestOrigin(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
config, err := websocket.NewConfig("ws://127.0.0.1:8000/ws", "ws://127.0.0.1:8000")
@@ -210,7 +210,7 @@ func (s *WebsocketSuite) TestWrongOriginIgnoredByServer(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -218,7 +218,7 @@ func (s *WebsocketSuite) TestWrongOriginIgnoredByServer(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
config, err := websocket.NewConfig("ws://127.0.0.1:8000/ws", "ws://127.0.0.1:80")
@@ -268,7 +268,7 @@ func (s *WebsocketSuite) TestSSLTermination(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -276,7 +276,7 @@ func (s *WebsocketSuite) TestSSLTermination(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
// Add client self-signed cert
@@ -331,7 +331,7 @@ func (s *WebsocketSuite) TestBasicAuth(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -339,7 +339,7 @@ func (s *WebsocketSuite) TestBasicAuth(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
config, err := websocket.NewConfig("ws://127.0.0.1:8000/ws", "ws://127.0.0.1:8000")
@@ -375,7 +375,7 @@ func (s *WebsocketSuite) TestSpecificResponseFromBackend(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -383,7 +383,7 @@ func (s *WebsocketSuite) TestSpecificResponseFromBackend(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
_, resp, err := gorillawebsocket.DefaultDialer.Dial("ws://127.0.0.1:8000/ws", nil)
@@ -421,7 +421,7 @@ func (s *WebsocketSuite) TestURLWithURLEncodedChar(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -429,7 +429,7 @@ func (s *WebsocketSuite) TestURLWithURLEncodedChar(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
conn, _, err := gorillawebsocket.DefaultDialer.Dial("ws://127.0.0.1:8000/ws/http%3A%2F%2Ftest", nil)
@@ -476,7 +476,7 @@ func (s *WebsocketSuite) TestSSLhttp2(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug", "--accesslog")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG", "--accesslog")
defer display(c)
err := cmd.Start()
@@ -484,7 +484,7 @@ func (s *WebsocketSuite) TestSSLhttp2(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
// Add client self-signed cert
@@ -535,7 +535,7 @@ func (s *WebsocketSuite) TestHeaderAreForwared(c *check.C) {
})
defer os.Remove(file)
- cmd, display := s.traefikCmd(withConfigFile(file), "--global.debug")
+ cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
defer display(c)
err := cmd.Start()
@@ -543,7 +543,7 @@ func (s *WebsocketSuite) TestHeaderAreForwared(c *check.C) {
defer cmd.Process.Kill()
// wait for traefik
- err = try.GetRequest("http://127.0.0.1:8080/api/providers/file/services", 10*time.Second, try.BodyContains("127.0.0.1"))
+ err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
c.Assert(err, checker.IsNil)
headers := http.Header{}
diff --git a/old/docs/CNAME b/old/docs/CNAME
deleted file mode 100644
index f4446d431..000000000
--- a/old/docs/CNAME
+++ /dev/null
@@ -1 +0,0 @@
-docs.traefik.io
\ No newline at end of file
diff --git a/old/docs/benchmarks.md b/old/docs/benchmarks.md
deleted file mode 100644
index 4565d0449..000000000
--- a/old/docs/benchmarks.md
+++ /dev/null
@@ -1,214 +0,0 @@
-# Benchmarks
-
-## Configuration
-
-I would like to thanks [vincentbernat](https://github.com/vincentbernat) from [exoscale.ch](https://www.exoscale.ch) who kindly provided the infrastructure needed for the benchmarks.
-
-I used 4 VMs for the tests with the following configuration:
-
-- 32 GB RAM
-- 8 CPU Cores
-- 10 GB SSD
-- Ubuntu 14.04 LTS 64-bit
-
-## Setup
-
-1. One VM used to launch the benchmarking tool [wrk](https://github.com/wg/wrk)
-2. One VM for Traefik (v1.0.0-beta.416) / nginx (v1.4.6)
-3. Two VMs for 2 backend servers in go [whoami](https://github.com/containous/whoami/)
-
-Each VM has been tuned using the following limits:
-
-```bash
-sysctl -w fs.file-max="9999999"
-sysctl -w fs.nr_open="9999999"
-sysctl -w net.core.netdev_max_backlog="4096"
-sysctl -w net.core.rmem_max="16777216"
-sysctl -w net.core.somaxconn="65535"
-sysctl -w net.core.wmem_max="16777216"
-sysctl -w net.ipv4.ip_local_port_range="1025 65535"
-sysctl -w net.ipv4.tcp_fin_timeout="30"
-sysctl -w net.ipv4.tcp_keepalive_time="30"
-sysctl -w net.ipv4.tcp_max_syn_backlog="20480"
-sysctl -w net.ipv4.tcp_max_tw_buckets="400000"
-sysctl -w net.ipv4.tcp_no_metrics_save="1"
-sysctl -w net.ipv4.tcp_syn_retries="2"
-sysctl -w net.ipv4.tcp_synack_retries="2"
-sysctl -w net.ipv4.tcp_tw_recycle="1"
-sysctl -w net.ipv4.tcp_tw_reuse="1"
-sysctl -w vm.min_free_kbytes="65536"
-sysctl -w vm.overcommit_memory="1"
-ulimit -n 9999999
-```
-
-### Nginx
-
-Here is the config Nginx file use `/etc/nginx/nginx.conf`:
-
-```
-user www-data;
-worker_processes auto;
-worker_rlimit_nofile 200000;
-pid /var/run/nginx.pid;
-
-events {
- worker_connections 10000;
- use epoll;
- multi_accept on;
-}
-
-http {
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 300;
- keepalive_requests 10000;
- types_hash_max_size 2048;
-
- open_file_cache max=200000 inactive=300s;
- open_file_cache_valid 300s;
- open_file_cache_min_uses 2;
- open_file_cache_errors on;
-
- server_tokens off;
- dav_methods off;
-
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- access_log /var/log/nginx/access.log combined;
- error_log /var/log/nginx/error.log warn;
-
- gzip off;
- gzip_vary off;
-
- include /etc/nginx/conf.d/*.conf;
- include /etc/nginx/sites-enabled/*.conf;
-}
-```
-
-Here is the Nginx vhost file used:
-
-```
-upstream whoami {
- server IP-whoami1:80;
- server IP-whoami2:80;
- keepalive 300;
-}
-
-server {
- listen 8001;
- server_name test.traefik;
- access_log off;
- error_log /dev/null crit;
- if ($host != "test.traefik") {
- return 404;
- }
- location / {
- proxy_pass http://whoami;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
- proxy_set_header X-Forwarded-Host $host;
- }
-}
-```
-
-### Traefik
-
-Here is the `traefik.toml` file used:
-
-```toml
-maxIdleConnsPerHost = 100000
-defaultEntryPoints = ["http"]
-
-[entryPoints]
- [entryPoints.http]
- address = ":8000"
-
-[file]
-[backends]
- [backends.backend1]
- [backends.backend1.servers.server1]
- url = "http://IP-whoami1:80"
- weight = 1
- [backends.backend1.servers.server2]
- url = "http://IP-whoami2:80"
- weight = 1
-
-[frontends]
- [frontends.frontend1]
- backend = "backend1"
- [frontends.frontend1.routes.test_1]
- rule = "Host: test.traefik"
-```
-
-## Results
-
-### whoami:
-```shell
-wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency http://IP-whoami:80/bench
-Running 1m test @ http://IP-whoami:80/bench
- 20 threads and 1000 connections
- Thread Stats Avg Stdev Max +/- Stdev
- Latency 70.28ms 134.72ms 1.91s 89.94%
- Req/Sec 2.92k 742.42 8.78k 68.80%
- Latency Distribution
- 50% 10.63ms
- 75% 75.64ms
- 90% 205.65ms
- 99% 668.28ms
- 3476705 requests in 1.00m, 384.61MB read
- Socket errors: connect 0, read 0, write 0, timeout 103
-Requests/sec: 57894.35
-Transfer/sec: 6.40MB
-```
-
-### nginx:
-```shell
-wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency http://IP-nginx:8001/bench
-Running 1m test @ http://IP-nginx:8001/bench
- 20 threads and 1000 connections
- Thread Stats Avg Stdev Max +/- Stdev
- Latency 101.25ms 180.09ms 1.99s 89.34%
- Req/Sec 1.69k 567.69 9.39k 72.62%
- Latency Distribution
- 50% 15.46ms
- 75% 129.11ms
- 90% 302.44ms
- 99% 846.59ms
- 2018427 requests in 1.00m, 298.36MB read
- Socket errors: connect 0, read 0, write 0, timeout 90
-Requests/sec: 33591.67
-Transfer/sec: 4.97MB
-```
-
-### Traefik:
-
-```shell
-wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency http://IP-traefik:8000/bench
-Running 1m test @ http://IP-traefik:8000/bench
- 20 threads and 1000 connections
- Thread Stats Avg Stdev Max +/- Stdev
- Latency 91.72ms 150.43ms 2.00s 90.50%
- Req/Sec 1.43k 266.37 2.97k 69.77%
- Latency Distribution
- 50% 19.74ms
- 75% 121.98ms
- 90% 237.39ms
- 99% 687.49ms
- 1705073 requests in 1.00m, 188.63MB read
- Socket errors: connect 0, read 0, write 0, timeout 7
-Requests/sec: 28392.44
-Transfer/sec: 3.14MB
-```
-
-## Conclusion
-
-Traefik is obviously slower than Nginx, but not so much: Traefik can serve 28392 requests/sec and Nginx 33591 requests/sec which gives a ratio of 85%.
-Not bad for young project :) !
-
-Some areas of possible improvements:
-
-- Use [GO_REUSEPORT](https://github.com/kavu/go_reuseport) listener
-- Run a separate server instance per CPU core with `GOMAXPROCS=1` (it appears during benchmarks that there is a lot more context switches with Traefik than with nginx)
-
diff --git a/old/docs/configuration/api.md b/old/docs/configuration/api.md
deleted file mode 100644
index 2d746afcb..000000000
--- a/old/docs/configuration/api.md
+++ /dev/null
@@ -1,347 +0,0 @@
-# API Definition
-
-## Configuration
-
-```toml
-# API definition
-# Warning: Enabling API will expose Traefik's configuration.
-# It is not recommended in production,
-# unless secured by authentication and authorizations
-[api]
- # Name of the related entry point
- #
- # Optional
- # Default: "traefik"
- #
- entryPoint = "traefik"
-
- # Enable Dashboard
- #
- # Optional
- # Default: true
- #
- dashboard = true
-
- # Enable debug mode.
- # This will install HTTP handlers to expose Go expvars under /debug/vars and
- # pprof profiling data under /debug/pprof/.
- # Additionally, the log level will be set to DEBUG.
- #
- # Optional
- # Default: false
- #
- debug = true
-```
-
-For more customization, see [entry points](/configuration/entrypoints/) documentation and the examples below.
-
-## Web UI
-
-![Web UI Providers](/img/web.frontend.png)
-
-![Web UI Health](/img/traefik-health.png)
-
-## Security
-
-Enabling the API will expose all configuration elements,
-including sensitive data.
-
-It is not recommended in production,
-unless secured by authentication and authorizations.
-
-A good sane default (but not exhaustive) set of recommendations
-would be to apply the following protection mechanism:
-
-* _At application level:_ enabling HTTP [Basic Authentication](#authentication)
-* _At transport level:_ NOT exposing publicly the API's port,
-keeping it restricted over internal networks
-(restricted networks as in https://en.wikipedia.org/wiki/Principle_of_least_privilege).
-
-## API
-
-| Path | Method | Description |
-|-----------------------------------------------------------------|------------------|-------------------------------------------|
-| `/` | `GET` | Provides a simple HTML frontend of Traefik |
-| `/cluster/leader` | `GET` | JSON leader true/false response |
-| `/health` | `GET` | JSON health metrics |
-| `/api` | `GET` | Configuration for all providers |
-| `/api/providers` | `GET` | Providers |
-| `/api/providers/{provider}` | `GET`, `PUT` | Get or update provider (1) |
-| `/api/providers/{provider}/backends` | `GET` | List backends |
-| `/api/providers/{provider}/backends/{backend}` | `GET` | Get backend |
-| `/api/providers/{provider}/backends/{backend}/servers` | `GET` | List servers in backend |
-| `/api/providers/{provider}/backends/{backend}/servers/{server}` | `GET` | Get a server in a backend |
-| `/api/providers/{provider}/frontends` | `GET` | List frontends |
-| `/api/providers/{provider}/frontends/{frontend}` | `GET` | Get a frontend |
-| `/api/providers/{provider}/frontends/{frontend}/routes` | `GET` | List routes in a frontend |
-| `/api/providers/{provider}/frontends/{frontend}/routes/{route}` | `GET` | Get a route in a frontend |
-
-<1> See [Rest](/configuration/backends/rest/#api) for more information.
-
-!!! warning
- For compatibility reason, when you activate the rest provider, you can use `web` or `rest` as `provider` value.
- But be careful, in the configuration for all providers the key is still `web`.
-
-### Address / Port
-
-You can define a custom address/port like this:
-
-```toml
-defaultEntryPoints = ["http"]
-
-[entryPoints]
- [entryPoints.http]
- address = ":80"
-
- [entryPoints.foo]
- address = ":8082"
-
- [entryPoints.bar]
- address = ":8083"
-
-[ping]
-entryPoint = "foo"
-
-[api]
-entryPoint = "bar"
-```
-
-In the above example, you would access a regular path, dashboard, and health-check as follows:
-
-* Regular path: `http://hostname:80/path`
-* Dashboard: `http://hostname:8083/`
-* Ping URL: `http://hostname:8082/ping`
-
-In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
-Otherwise, you are likely to expose _all_ services via that entry point.
-
-### Custom Path
-
-You can define a custom path like this:
-
-```toml
-defaultEntryPoints = ["http"]
-
-[entryPoints]
- [entryPoints.http]
- address = ":80"
-
- [entryPoints.foo]
- address = ":8080"
-
- [entryPoints.bar]
- address = ":8081"
-
-# Activate API and Dashboard
-[api]
-entryPoint = "bar"
-dashboard = true
-
-[file]
- [backends]
- [backends.backend1]
- [backends.backend1.servers.server1]
- url = "http://127.0.0.1:8081"
-
- [frontends]
- [frontends.frontend1]
- entryPoints = ["foo"]
- backend = "backend1"
- [frontends.frontend1.routes.test_1]
- rule = "PathPrefixStrip:/yourprefix;PathPrefix:/yourprefix"
-```
-
-### Authentication
-
-You can define the authentication like this:
-
-```toml
-defaultEntryPoints = ["http"]
-
-[entryPoints]
- [entryPoints.http]
- address = ":80"
-
- [entryPoints.foo]
- address=":8080"
- [entryPoints.foo.auth]
- [entryPoints.foo.auth.basic]
- users = [
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
- ]
-
-[api]
-entrypoint="foo"
-```
-
-For more information, see [entry points](/configuration/entrypoints/) .
-
-### Provider call example
-
-```shell
-curl -s "http://localhost:8080/api" | jq .
-```
-```json
-{
- "file": {
- "frontends": {
- "frontend2": {
- "routes": {
- "test_2": {
- "rule": "Path:/test"
- }
- },
- "backend": "backend1"
- },
- "frontend1": {
- "routes": {
- "test_1": {
- "rule": "Host:test.localhost"
- }
- },
- "backend": "backend2"
- }
- },
- "backends": {
- "backend2": {
- "loadBalancer": {
- "method": "drr"
- },
- "servers": {
- "server2": {
- "weight": 2,
- "URL": "http://172.17.0.5:80"
- },
- "server1": {
- "weight": 1,
- "url": "http://172.17.0.4:80"
- }
- }
- },
- "backend1": {
- "loadBalancer": {
- "method": "wrr"
- },
- "circuitBreaker": {
- "expression": "NetworkErrorRatio() > 0.5"
- },
- "servers": {
- "server2": {
- "weight": 1,
- "url": "http://172.17.0.3:80"
- },
- "server1": {
- "weight": 10,
- "url": "http://172.17.0.2:80"
- }
- }
- }
- }
- }
-}
-```
-
-### Cluster Leadership
-
-```shell
-curl -s "http://localhost:8080/cluster/leader" | jq .
-```
-```shell
-< HTTP/1.1 200 OK
-< Content-Type: application/json; charset=UTF-8
-< Date: xxx
-< Content-Length: 15
-```
-If the given node is not a cluster leader, an HTTP status of `429-Too-Many-Requests` will be returned.
-```json
-{
- // current leadership status of the queried node
- "leader": true
-}
-```
-
-### Health
-
-```shell
-curl -s "http://localhost:8080/health" | jq .
-```
-```json
-{
- // Traefik PID
- "pid": 2458,
- // Traefik server uptime (formated time)
- "uptime": "39m6.885931127s",
- // Traefik server uptime in seconds
- "uptime_sec": 2346.885931127,
- // current server date
- "time": "2015-10-07 18:32:24.362238909 +0200 CEST",
- // current server date in seconds
- "unixtime": 1444235544,
- // count HTTP response status code in realtime
- "status_code_count": {
- "502": 1
- },
- // count HTTP response status code since Traefik started
- "total_status_code_count": {
- "200": 7,
- "404": 21,
- "502": 13
- },
- // count HTTP response
- "count": 1,
- // count HTTP response
- "total_count": 41,
- // sum of all response time (formated time)
- "total_response_time": "35.456865605s",
- // sum of all response time in seconds
- "total_response_time_sec": 35.456865605,
- // average response time (formated time)
- "average_response_time": "864.8016ms",
- // average response time in seconds
- "average_response_time_sec": 0.8648016000000001,
-
- // request statistics [requires --api.statistics to be set]
- // ten most recent requests with 4xx and 5xx status codes
- "recent_errors": [
- {
- // status code
- "status_code": 500,
- // description of status code
- "status": "Internal Server Error",
- // request HTTP method
- "method": "GET",
- // request hostname
- "host": "localhost",
- // request path
- "path": "/path",
- // RFC 3339 formatted date/time
- "time": "2016-10-21T16:59:15.418495872-07:00"
- }
- ]
-}
-```
-
-## Metrics
-
-You can enable Traefik to export internal metrics to different monitoring systems.
-
-```toml
-[api]
- # ...
-
- # Enable more detailed statistics.
- [api.statistics]
-
- # Number of recent errors logged.
- #
- # Default: 10
- #
- recentErrors = 10
-
- # ...
-```
-
-| Path | Method | Description |
-|------------|---------------|-------------------------|
-| `/metrics` | `GET` | Export internal metrics |
diff --git a/old/docs/configuration/backends/boltdb.md b/old/docs/configuration/backends/boltdb.md
deleted file mode 100644
index 8c4ee6f20..000000000
--- a/old/docs/configuration/backends/boltdb.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# BoltDB Provider
-
-Traefik can be configured to use BoltDB as a provider.
-
-```toml
-################################################################
-# BoltDB Provider
-################################################################
-
-# Enable BoltDB Provider.
-[boltdb]
-
-# BoltDB file.
-#
-# Required
-# Default: "127.0.0.1:4001"
-#
-endpoint = "/my.db"
-
-# Enable watch BoltDB changes.
-#
-# Optional
-# Default: true
-#
-watch = true
-
-# Prefix used for KV store.
-#
-# Optional
-# Default: "/traefik"
-#
-prefix = "/traefik"
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-filename = "boltdb.tmpl"
-
-# Use BoltDB user/pass authentication.
-#
-# Optional
-#
-# username = foo
-# password = bar
-
-# Enable BoltDB TLS connection.
-#
-# Optional
-#
-# [boltdb.tls]
-# ca = "/etc/ssl/ca.crt"
-# cert = "/etc/ssl/boltdb.crt"
-# key = "/etc/ssl/boltdb.key"
-# insecureSkipVerify = true
-```
-
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
diff --git a/old/docs/configuration/backends/consul.md b/old/docs/configuration/backends/consul.md
deleted file mode 100644
index 84ddaa188..000000000
--- a/old/docs/configuration/backends/consul.md
+++ /dev/null
@@ -1,61 +0,0 @@
-# Consul Key-Value Provider
-
-Traefik can be configured to use Consul as a provider.
-
-```toml
-################################################################
-# Consul KV Provider
-################################################################
-
-# Enable Consul KV Provider.
-[consul]
-
-# Consul server endpoint.
-#
-# Required
-# Default: "127.0.0.1:8500"
-#
-endpoint = "127.0.0.1:8500"
-
-# Enable watch Consul changes.
-#
-# Optional
-# Default: true
-#
-watch = true
-
-# Prefix used for KV store.
-#
-# Optional
-# Default: traefik
-#
-prefix = "traefik"
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "consul.tmpl"
-
-# Use Consul user/pass authentication.
-#
-# Optional
-#
-# username = foo
-# password = bar
-
-# Enable Consul TLS connection.
-#
-# Optional
-#
-# [consul.tls]
-# ca = "/etc/ssl/ca.crt"
-# cert = "/etc/ssl/consul.crt"
-# key = "/etc/ssl/consul.key"
-# insecureSkipVerify = true
-```
-
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
-
-Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
diff --git a/old/docs/configuration/backends/consulcatalog.md b/old/docs/configuration/backends/consulcatalog.md
deleted file mode 100644
index 00588ac7c..000000000
--- a/old/docs/configuration/backends/consulcatalog.md
+++ /dev/null
@@ -1,242 +0,0 @@
-# Consul Catalog Provider
-
-Traefik can be configured to use service discovery catalog of Consul as a provider.
-
-```toml
-################################################################
-# Consul Catalog Provider
-################################################################
-
-# Enable Consul Catalog Provider.
-[consulCatalog]
-
-# Consul server endpoint.
-#
-# Required
-# Default: "127.0.0.1:8500"
-#
-endpoint = "127.0.0.1:8500"
-
-# Expose Consul catalog services by default in Traefik.
-#
-# Optional
-# Default: true
-#
-exposedByDefault = false
-
-# Allow Consul server to serve the catalog reads regardless of whether it is the leader.
-#
-# Optional
-# Default: false
-#
-stale = false
-
-# Default base domain used for the frontend rules.
-#
-# Optional
-#
-domain = "consul.localhost"
-
-# Prefix for Consul catalog tags.
-#
-# Optional
-# Default: "traefik"
-#
-prefix = "traefik"
-
-# Default frontEnd Rule for Consul services.
-#
-# The format is a Go Template with:
-# - ".ServiceName", ".Domain" and ".Attributes" available
-# - "getTag(name, tags, defaultValue)", "hasTag(name, tags)" and "getAttribute(name, tags, defaultValue)" functions are available
-# - "getAttribute(...)" function uses prefixed tag names based on "prefix" value
-#
-# Optional
-# Default: "Host:{{.ServiceName}}.{{.Domain}}"
-#
-#frontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
-
-# Enable Consul catalog TLS connection.
-#
-# Optional
-#
-# [consulCatalog.tls]
-# ca = "/etc/ssl/ca.crt"
-# cert = "/etc/ssl/consul.crt"
-# key = "/etc/ssl/consul.key"
-# insecureSkipVerify = true
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "consulcatalog.tmpl"
-
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
-```
-
-This provider will create routes matching on hostname based on the service name used in Consul.
-
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
-
-## Tags
-
-Additional settings can be defined using Consul Catalog tags.
-
-!!! note
- The default prefix is `traefik`.
-
-| Label | Description |
-|--------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `.enable=false` | Disables this container in Traefik. |
-| `.protocol=https` | Overrides the default `http` protocol. |
-| `.weight=10` | Assigns this weight to the container. |
-| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
-| `.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend. ex: `NetworkErrorRatio() > 0.` |
-| `.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
-| `.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
-| `.backend.healthcheck.interval=5s` | Defines the health check interval. |
-| `.backend.healthcheck.timeout=3s` | Defines the health check request timeout |
-| `.backend.healthcheck.port=8080` | Sets a different port for the health check. |
-| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
-| `.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
-| `.backend.healthcheck.headers=EXPR` | Defines the health check request headers
Format: HEADER:value||HEADER2:value2
|
-| `.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm. |
-| `.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions. |
-| `.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions. |
-| `.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.
Must be used in conjunction with the below label to take effect. |
-| `.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.
Must be used in conjunction with the above label to take effect. |
-| `.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
-| `.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
-| `.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
-| `.frontend.auth.basic.usersfile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
-| `.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
-| `.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
-| `.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
-| `.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
-| `.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
-| `.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
-| `.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
-| `.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
-| `.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
-| `.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
-| `.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
-| `.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
-| `.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.
Overrides `defaultEntryPoints` |
-| `.frontend.errors..backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `.frontend.errors..query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `.frontend.errors..status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
-| `.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.organization=true` | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
-| `.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
-| `.frontend.priority=10` | Overrides default frontend priority. |
-| `.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `.frontend.rateLimit.rateSet..period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `.frontend.rateLimit.rateSet..average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `.frontend.rateLimit.rateSet..burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS). |
-| `.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.replacement`. |
-| `.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.regex`. |
-| `.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
-| `.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{{.ServiceName}}.{{.Domain}}`. |
-| `.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.
An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.
Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
-| `.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
-| `.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
-
-### Multiple frontends for a single service
-
-If you need to support multiple frontends for a service, for example when having multiple `rules` that can't be combined, specify them as follows:
-
-```
-.frontends.A.rule=Host:A:PathPrefix:/A
-.frontends.B.rule=Host:B:PathPrefix:/
-```
-
-`A` and `B` here are just arbitrary names, they can be anything. You can use any setting that applies to `.frontend` from the table above.
-
-### Custom Headers
-
-!!! note
- The default prefix is `traefik`.
-
-| Label | Description |
-|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.
Format: HEADER:value||HEADER2:value2
|
-| `.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.
Format: HEADER:value||HEADER2:value2
|
-
-### Security Headers
-
-!!! note
- The default prefix is `traefik`.
-
-| Label | Description |
-|-----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.
Format: `Host1,Host2` |
-| `.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
-| `.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
-| `.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
-| `.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
-| `.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
-| `.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
-| `.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
-| `.frontend.headers.hostsProxyHeaders=EXPR` | Provides a list of headers that the proxied hostname may be stored.
Format: `HEADER1,HEADER2` |
-| `.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. |
-| `.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
-| `.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
-| `.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
-| `.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
-| `.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
-| `.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
-| `.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).
Format: HEADER:value||HEADER2:value2
|
-| `.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
-| `.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
-| `.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
-
-
-### Examples
-
-If you want that Traefik uses Consul tags correctly you need to defined them like that:
-
-```js
-traefik.enable=true
-traefik.tags=api
-traefik.tags=external
-```
-
-If the prefix defined in Traefik configuration is `bla`, tags need to be defined like that:
-
-```js
-bla.enable=true
-bla.tags=api
-bla.tags=external
-```
diff --git a/old/docs/configuration/backends/docker.md b/old/docs/configuration/backends/docker.md
deleted file mode 100644
index 586f612e7..000000000
--- a/old/docs/configuration/backends/docker.md
+++ /dev/null
@@ -1,19 +0,0 @@
-| `traefik.domain` | Sets the default base domain for the frontend rules. For more information, check the [Container Labels section's of the user guide "Let's Encrypt & Docker"](/user-guide/docker-and-lets-encrypt/#container-labels) |
-| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. |
-| `traefik.protocol=https` | Overrides the default `http` protocol |
-| `traefik.weight=10` | Assigns this weight to the container
-
-[2] `traefik.frontend.auth.basic.users=EXPR`:
-To create `user:password` pair, it's possible to use this command:
-`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`.
-The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping.
-
-[3] `traefik.backend.loadbalancer.swarm`:
-If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
-Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.
-It also means that Traefik will manipulate only one backend, not one backend per container.
-
-!!! warning
- When running inside a container, Traefik will need network access through:
-
- `docker network connect `
\ No newline at end of file
diff --git a/old/docs/configuration/backends/dynamodb.md b/old/docs/configuration/backends/dynamodb.md
deleted file mode 100644
index 37b15f624..000000000
--- a/old/docs/configuration/backends/dynamodb.md
+++ /dev/null
@@ -1,70 +0,0 @@
-# DynamoDB Provider
-
-Traefik can be configured to use Amazon DynamoDB as a provider.
-
-## Configuration
-
-```toml
-################################################################
-# DynamoDB Provider
-################################################################
-
-# Enable DynamoDB Provider.
-[dynamodb]
-
-# Region to use when connecting to AWS.
-#
-# Required
-#
-region = "us-west-1"
-
-# DyanmoDB Table Name.
-#
-# Optional
-# Default: "traefik"
-#
-tableName = "traefik"
-
-# Enable watch DynamoDB changes.
-#
-# Optional
-# Default: true
-#
-watch = true
-
-# Polling interval (in seconds).
-#
-# Optional
-# Default: 15
-#
-refreshSeconds = 15
-
-# Access Key ID to use when connecting to AWS.
-#
-# Optional
-#
-accessKeyID = "abc"
-
-# Secret Access Key to use when connecting to AWS.
-#
-# Optional
-#
-secretAccessKey = "123"
-
-# Endpoint of local dynamodb instance for testing?
-#
-# Optional
-#
-endpoint = "http://localhost:8080"
-```
-
-## Table Items
-
-Items in the `dynamodb` table must have three attributes:
-
-- `id` (string): The id is the primary key.
-- `name`(string): The name is used as the name of the frontend or backend.
-- `frontend` or `backend` (map): This attribute's structure matches exactly the structure of a Frontend or Backend type in Traefik.
- See `types/types.go` for details.
- The presence or absence of this attribute determines its type.
- So an item should never have both a `frontend` and a `backend` attribute.
diff --git a/old/docs/configuration/backends/ecs.md b/old/docs/configuration/backends/ecs.md
deleted file mode 100644
index 04c6a9c0c..000000000
--- a/old/docs/configuration/backends/ecs.md
+++ /dev/null
@@ -1,350 +0,0 @@
-# ECS Provider
-
-Traefik can be configured to use Amazon ECS as a provider.
-
-## Configuration
-
-```toml
-################################################################
-# ECS Provider
-################################################################
-
-# Enable ECS Provider.
-[ecs]
-
-# ECS Clusters Name.
-#
-# Optional
-# Default: ["default"]
-#
-clusters = ["default"]
-
-# Enable watch ECS changes.
-#
-# Optional
-# Default: true
-#
-watch = true
-
-# Default base domain used for the frontend rules.
-# Can be overridden by setting the "traefik.domain" label.
-#
-# Optional
-# Default: ""
-#
-domain = "ecs.localhost"
-
-# Enable auto discover ECS clusters.
-#
-# Optional
-# Default: false
-#
-autoDiscoverClusters = false
-
-# Polling interval (in seconds).
-#
-# Optional
-# Default: 15
-#
-refreshSeconds = 15
-
-# Expose ECS services by default in Traefik.
-#
-# Optional
-# Default: true
-#
-exposedByDefault = false
-
-# Region to use when connecting to AWS.
-#
-# Optional
-#
-region = "us-east-1"
-
-# Access Key ID to use when connecting to AWS.
-#
-# Optional
-#
-accessKeyID = "abc"
-
-# Secret Access Key to use when connecting to AWS.
-#
-# Optional
-#
-secretAccessKey = "123"
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "ecs.tmpl"
-
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
-```
-
-If `accessKeyID`/`secretAccessKey` is not given credentials will be resolved in the following order:
-
-- From environment variables; `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
-- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
-- EC2 instance role or ECS task role
-
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
-
-## Policy
-
-Traefik needs the following policy to read ECS information:
-
-```json
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "TraefikECSReadAccess",
- "Effect": "Allow",
- "Action": [
- "ecs:ListClusters",
- "ecs:DescribeClusters",
- "ecs:ListTasks",
- "ecs:DescribeTasks",
- "ecs:DescribeContainerInstances",
- "ecs:DescribeTaskDefinition",
- "ec2:DescribeInstances"
- ],
- "Resource": [
- "*"
- ]
- }
- ]
-}
-```
-
-## Labels: overriding default behavior
-
-Labels can be used on task containers to override default behavior:
-
-| Label | Description |
-|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain` | Sets the default base domain for frontend rules. |
-| `traefik.enable=false` | Disables this container in Traefik. |
-| `traefik.port=80` | Overrides the default `port` value. Overrides `NetworkBindings` from Docker Container |
-| `traefik.protocol=https` | Overrides the default `http` protocol |
-| `traefik.weight=10` | Assigns this weight to the container |
-| `traefik.backend=foo` | Overrides the service name by `foo` in the generated name of the backend. |
-| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
-| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
-| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
-| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. (Default: 30s) |
-| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. (Default: 5s) |
-| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
-| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
-| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
-| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers
Format: HEADER:value||HEADER2:value2
|
-| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
-| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie manually name for sticky sessions |
-| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.
Must be used in conjunction with the below label to take effect. |
-| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.
Must be used in conjunction with the above label to take effect. |
-| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
-| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
-| `traefik.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
-| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
-| `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
-| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
-| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
-| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
-| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
-| `traefik.frontend.auth.removeHeader=true` | If set to true, removes the Authorization header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true` | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
-| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.
Overrides `defaultEntryPoints` |
-| `traefik.frontend.errors..backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `traefik.frontend.errors..query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `traefik.frontend.errors..status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
-| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
-| `traefik.frontend.priority=10` | Overrides default frontend priority |
-| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.rateLimit.rateSet..period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.rateLimit.rateSet..average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.rateLimit.rateSet..burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.replacement`. |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.regex`. |
-| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
-| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{instance_name}.{domain}`. |
-| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.
An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.
Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
-| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
-| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
-
-### Custom Headers
-
-| Label | Description |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.
Format: HEADER:value||HEADER2:value2
|
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.
Format: HEADER:value||HEADER2:value2
|
-
-### Security Headers
-
-| Label | Description |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.
Format: `Host1,Host2` |
-| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
-| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
-| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
-| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.
Format: `HEADER1,HEADER2` |
-| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
-| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
-| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
-| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
-| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).
Format: HEADER:value||HEADER2:value2
|
-| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
-| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
-| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
-
-### Containers with Multiple Ports (segment labels)
-
-Segment labels are used to define routes to an application exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by an application.
-You can define as many segments as ports exposed in an application.
-
-Segment labels override the default behavior.
-
-| Label | Description |
-|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
-| `traefik..backend=BACKEND` | Same as `traefik.backend` |
-| `traefik..domain=DOMAIN` | Same as `traefik.domain` |
-| `traefik..port=PORT` | Same as `traefik.port` |
-| `traefik..protocol=http` | Same as `traefik.protocol` |
-| `traefik..weight=10` | Same as `traefik.weight` |
-| `traefik..frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
-| `traefik..frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` |
-| `traefik..frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` |
-| `traefik..frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` |
-| `traefik..frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` |
-| `traefik..frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` |
-| `traefik..frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` |
-| `traefik..frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` |
-| `traefik..frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` |
-| `traefik..frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` |
-| `traefik..frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` |
-| `traefik..frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` |
-| `traefik..frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
-| `traefik..frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` |
-| `traefik..frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` |
-| `traefik..frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` |
-| `traefik..frontend.auth.removeHeader=true` | Same as `traefik.frontend.auth.removeHeader` |
-| `traefik..frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` |
-| `traefik..frontend.errors..backend=NAME` | Same as `traefik.frontend.errors..backend` |
-| `traefik..frontend.errors..query=PATH` | Same as `traefik.frontend.errors..query` |
-| `traefik..frontend.errors..status=RANGE` | Same as `traefik.frontend.errors..status` |
-| `traefik..frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province` |
-| `traefik..frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber` |
-| `traefik..frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` |
-| `traefik..frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` |
-| `traefik..frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` |
-| `traefik..frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` |
-| `traefik..frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` |
-| `traefik..frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
-| `traefik..frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` |
-| `traefik..frontend.passTLSClientCert.infos.subject.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` |
-| `traefik..frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` |
-| `traefik..frontend.passTLSClientCert.infos.subject.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` |
-| `traefik..frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` |
-| `traefik..frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` |
-| `traefik..frontend.priority=10` | Same as `traefik.frontend.priority` |
-| `traefik..frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` |
-| `traefik..frontend.rateLimit.rateSet..period=6` | Same as `traefik.frontend.rateLimit.rateSet..period` |
-| `traefik..frontend.rateLimit.rateSet..average=6` | Same as `traefik.frontend.rateLimit.rateSet..average` |
-| `traefik..frontend.rateLimit.rateSet..burst=6` | Same as `traefik.frontend.rateLimit.rateSet..burst` |
-| `traefik..frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` |
-| `traefik..frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` |
-| `traefik..frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` |
-| `traefik..frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` |
-| `traefik..frontend.rule=EXP` | Same as `traefik.frontend.rule` |
-| `traefik..frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` |
-| `traefik..frontend.whiteList.useXForwardedFor=true` | Same as `traefik.frontend.whiteList.useXForwardedFor` |
-| `traefik..frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` |
-| `traefik..frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` |
-| `traefik..frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` |
-
-#### Custom Headers
-
-| Label | Description |
-|----------------------------------------------------------------------|----------------------------------------------------------|
-| `traefik..frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders` |
-| `traefik..frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
-
-#### Security Headers
-
-| Label | Description |
-|-------------------------------------------------------------------------|--------------------------------------------------------------|
-| `traefik..frontend.headers.allowedHosts=EXPR` | Same as `traefik.frontend.headers.allowedHosts` |
-| `traefik..frontend.headers.browserXSSFilter=true` | Same as `traefik.frontend.headers.browserXSSFilter` |
-| `traefik..frontend.headers.contentSecurityPolicy=VALUE` | Same as `traefik.frontend.headers.contentSecurityPolicy` |
-| `traefik..frontend.headers.contentTypeNosniff=true` | Same as `traefik.frontend.headers.contentTypeNosniff` |
-| `traefik..frontend.headers.customBrowserXSSValue=VALUE` | Same as `traefik.frontend.headers.customBrowserXSSValue` |
-| `traefik..frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue` |
-| `traefik..frontend.headers.forceSTSHeader=false` | Same as `traefik.frontend.headers.forceSTSHeader` |
-| `traefik..frontend.headers.frameDeny=false` | Same as `traefik.frontend.headers.frameDeny` |
-| `traefik..frontend.headers.hostsProxyHeaders=EXPR` | Same as `traefik.frontend.headers.hostsProxyHeaders` |
-| `traefik..frontend.headers.isDevelopment=false` | Same as `traefik.frontend.headers.isDevelopment` |
-| `traefik..frontend.headers.publicKey=VALUE` | Same as `traefik.frontend.headers.publicKey` |
-| `traefik..frontend.headers.referrerPolicy=VALUE` | Same as `traefik.frontend.headers.referrerPolicy` |
-| `traefik..frontend.headers.SSLRedirect=true` | Same as `traefik.frontend.headers.SSLRedirect` |
-| `traefik..frontend.headers.SSLTemporaryRedirect=true` | Same as `traefik.frontend.headers.SSLTemporaryRedirect` |
-| `traefik..frontend.headers.SSLHost=HOST` | Same as `traefik.frontend.headers.SSLHost` |
-| `traefik..frontend.headers.SSLForceHost=true` | Same as `traefik.frontend.headers.SSLForceHost` |
-| `traefik..frontend.headers.SSLProxyHeaders=EXPR` | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR` |
-| `traefik..frontend.headers.STSSeconds=315360000` | Same as `traefik.frontend.headers.STSSeconds=315360000` |
-| `traefik..frontend.headers.STSIncludeSubdomains=true` | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
-| `traefik..frontend.headers.STSPreload=true` | Same as `traefik.frontend.headers.STSPreload=true` |
diff --git a/old/docs/configuration/backends/etcd.md b/old/docs/configuration/backends/etcd.md
deleted file mode 100644
index 3ab85f19d..000000000
--- a/old/docs/configuration/backends/etcd.md
+++ /dev/null
@@ -1,61 +0,0 @@
-# Etcd Provider
-
-Traefik can be configured to use Etcd as a provider.
-
-```toml
-################################################################
-# Etcd Provider
-################################################################
-
-# Enable Etcd Provider.
-[etcd]
-
-# Etcd server endpoint.
-#
-# Required
-# Default: "127.0.0.1:2379"
-#
-endpoint = "127.0.0.1:2379"
-
-# Enable watch Etcd changes.
-#
-# Optional
-# Default: true
-#
-watch = true
-
-# Prefix used for KV store.
-#
-# Optional
-# Default: "/traefik"
-#
-prefix = "/traefik"
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "etcd.tmpl"
-
-# Use etcd user/pass authentication.
-#
-# Optional
-#
-# username = foo
-# password = bar
-
-# Enable etcd TLS connection.
-#
-# Optional
-#
-# [etcd.tls]
-# ca = "/etc/ssl/ca.crt"
-# cert = "/etc/ssl/etcd.crt"
-# key = "/etc/ssl/etcd.key"
-# insecureSkipVerify = true
-```
-
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
-
-Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
diff --git a/old/docs/configuration/backends/eureka.md b/old/docs/configuration/backends/eureka.md
deleted file mode 100644
index 0341cabc4..000000000
--- a/old/docs/configuration/backends/eureka.md
+++ /dev/null
@@ -1,32 +0,0 @@
-# Eureka Provider
-
-Traefik can be configured to use Eureka as a provider.
-
-```toml
-################################################################
-# Eureka Provider
-################################################################
-
-# Enable Eureka Provider.
-[eureka]
-
-# Eureka server endpoint.
-#
-# Required
-#
-endpoint = "http://my.eureka.server/eureka"
-
-# Override default configuration time between refresh.
-#
-# Optional
-# Default: 30s
-#
-refreshSeconds = "1m"
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "eureka.tmpl"
-```
diff --git a/old/docs/configuration/backends/file.md b/old/docs/configuration/backends/file.md
deleted file mode 100644
index 2c0e5704c..000000000
--- a/old/docs/configuration/backends/file.md
+++ /dev/null
@@ -1,357 +0,0 @@
-# File Provider
-
-Traefik can be configured with a file.
-
-## Reference
-
-```toml
-[file]
-
-# Backends
-[backends]
-
- [backends.backend1]
-
- [backends.backend1.servers]
- [backends.backend1.servers.server0]
- url = "http://10.10.10.1:80"
- weight = 1
- [backends.backend1.servers.server1]
- url = "http://10.10.10.2:80"
- weight = 2
- # ...
-
- [backends.backend1.circuitBreaker]
- expression = "NetworkErrorRatio() > 0.5"
-
- [backends.backend1.responseForwarding]
- flushInterval = "10ms"
-
- [backends.backend1.loadBalancer]
- method = "drr"
- [backends.backend1.loadBalancer.stickiness]
- cookieName = "foobar"
-
- [backends.backend1.maxConn]
- amount = 10
- extractorfunc = "request.host"
-
- [backends.backend1.healthCheck]
- path = "/health"
- port = 88
- interval = "30s"
- timeout = "5s"
- scheme = "http"
- hostname = "myhost.com"
- [backends.backend1.healthcheck.headers]
- My-Custom-Header = "foo"
- My-Header = "bar"
-
- [backends.backend2]
- # ...
-
-# Frontends
-[frontends]
-
- [frontends.frontend1]
- entryPoints = ["http", "https"]
- backend = "backend1"
- passHostHeader = true
- priority = 42
-
- [frontends.frontend1.passTLSClientCert]
- pem = true
- [frontends.frontend1.passTLSClientCert.infos]
- notBefore = true
- notAfter = true
- [frontends.frontend1.passTLSClientCert.infos.subject]
- country = true
- domainComponent = true
- province = true
- locality = true
- organization = true
- commonName = true
- serialNumber = true
- [frontends.frontend1.passTLSClientCert.infos.issuer]
- country = true
- domainComponent = true
- province = true
- locality = true
- organization = true
- commonName = true
- serialNumber = true
- [frontends.frontend1.auth]
- headerField = "X-WebAuth-User"
- [frontends.frontend1.auth.basic]
- removeHeader = true
- users = [
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
- ]
- usersFile = "/path/to/.htpasswd"
- [frontends.frontend1.auth.digest]
- removeHeader = true
- users = [
- "test:traefik:a2688e031edb4be6a3797f3882655c05",
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
- ]
- usersFile = "/path/to/.htdigest"
- [frontends.frontend1.auth.forward]
- address = "https://authserver.com/auth"
- trustForwardHeader = true
- authResponseHeaders = ["X-Auth-User"]
- [frontends.frontend1.auth.forward.tls]
- ca = "path/to/local.crt"
- caOptional = true
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
- insecureSkipVerify = true
-
- [frontends.frontend1.whiteList]
- sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
- [frontends.frontend1.whiteList.IPStrategy]
- depth = 6
- excludedIPs = ["152.89.1.33/32", "afed:be44::/16"]
-
- [frontends.frontend1.routes]
- [frontends.frontend1.routes.route0]
- rule = "Host:test.localhost"
- [frontends.frontend1.routes.Route1]
- rule = "Method:GET"
- # ...
-
- [frontends.frontend1.headers]
- allowedHosts = ["foobar", "foobar"]
- hostsProxyHeaders = ["foobar", "foobar"]
- SSLRedirect = true
- SSLTemporaryRedirect = true
- SSLHost = "foobar"
- STSSeconds = 42
- STSIncludeSubdomains = true
- STSPreload = true
- forceSTSHeader = true
- frameDeny = true
- customFrameOptionsValue = "foobar"
- contentTypeNosniff = true
- browserXSSFilter = true
- contentSecurityPolicy = "foobar"
- publicKey = "foobar"
- referrerPolicy = "foobar"
- isDevelopment = true
- [frontends.frontend1.headers.customRequestHeaders]
- X-Foo-Bar-01 = "foobar"
- X-Foo-Bar-02 = "foobar"
- # ...
- [frontends.frontend1.headers.customResponseHeaders]
- X-Foo-Bar-03 = "foobar"
- X-Foo-Bar-04 = "foobar"
- # ...
- [frontends.frontend1.headers.SSLProxyHeaders]
- X-Foo-Bar-05 = "foobar"
- X-Foo-Bar-06 = "foobar"
- # ...
-
- [frontends.frontend1.errors]
- [frontends.frontend1.errors.errorPage0]
- status = ["500-599"]
- backend = "error"
- query = "/{status}.html"
- [frontends.frontend1.errors.errorPage1]
- status = ["404", "403"]
- backend = "error"
- query = "/{status}.html"
- # ...
-
- [frontends.frontend1.ratelimit]
- extractorfunc = "client.ip"
- [frontends.frontend1.ratelimit.rateset.rateset1]
- period = "10s"
- average = 100
- burst = 200
- [frontends.frontend1.ratelimit.rateset.rateset2]
- period = "3s"
- average = 5
- burst = 10
- # ...
-
- [frontends.frontend1.redirect]
- entryPoint = "https"
- regex = "^http://localhost/(.*)"
- replacement = "http://mydomain/$1"
- permanent = true
-
- [frontends.frontend2]
- # ...
-
-# HTTPS certificates
-[[tls]]
- entryPoints = ["https"]
- [tls.certificate]
- certFile = "path/to/my.cert"
- keyFile = "path/to/my.key"
-
-[[tls]]
- # ...
-```
-
-## Configuration Mode
-
-You have two choices:
-
-- [Rules in Traefik configuration file](/configuration/backends/file/#rules-in-traefik-configuration-file)
-- [Rules in dedicated files](/configuration/backends/file/#rules-in-dedicated-files)
-
-To enable the file backend, you must either pass the `--file` option to the Traefik binary or put the `[file]` section (with or without inner settings) in the configuration file.
-
-The configuration file allows managing both backends/frontends and HTTPS certificates (which are not [Let's Encrypt](https://letsencrypt.org) certificates generated through Traefik).
-
-TOML templating can be used if rules are not defined in the Traefik configuration file.
-
-### Rules in Traefik Configuration File
-
-Add your configuration at the end of the global configuration file `traefik.toml`:
-
-```toml
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
- [entryPoints.http]
- # ...
- [entryPoints.https]
- # ...
-
-[file]
-
-# rules
-[backends]
- [backends.backend1]
- # ...
- [backends.backend2]
- # ...
-
-[frontends]
- [frontends.frontend1]
- # ...
- [frontends.frontend2]
- # ...
- [frontends.frontend3]
- # ...
-
-# HTTPS certificate
-[[tls]]
- # ...
-
-[[tls]]
- # ...
-```
-
-!!! note
- If `tls.entryPoints` is not defined, the certificate is attached to all the `defaultEntryPoints` with a TLS configuration.
-
-!!! note
- Adding certificates directly to the entryPoint is still maintained but certificates declared in this way cannot be managed dynamically.
- It's recommended to use the file provider to declare certificates.
-
-!!! warning
- TOML templating cannot be used if rules are defined in the Traefik configuration file.
-
-### Rules in Dedicated Files
-
-Traefik allows defining rules in one or more separate files.
-
-#### One Separate File
-
-You have to specify the file path in the `file.filename` option.
-
-```toml
-# traefik.toml
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
- [entryPoints.http]
- # ...
- [entryPoints.https]
- # ...
-
-[file]
- filename = "rules.toml"
- watch = true
-```
-
-The option `file.watch` allows Traefik to watch file changes automatically.
-
-#### Multiple Separated Files
-
-You could have multiple `.toml` files in a directory (and recursively in its sub-directories):
-
-```toml
-[file]
- directory = "/path/to/config/"
- watch = true
-```
-
-The option `file.watch` allows Traefik to watch file changes automatically.
-
-#### Separate Files Content
-
-If you are defining rules in one or more separate files, you can use two formats.
-
-##### Simple Format
-
-Backends, Frontends and TLS certificates are defined one at time, as described in the file `rules.toml`:
-
-```toml
-# rules.toml
-[backends]
- [backends.backend1]
- # ...
- [backends.backend2]
- # ...
-
-[frontends]
- [frontends.frontend1]
- # ...
- [frontends.frontend2]
- # ...
- [frontends.frontend3]
- # ...
-
-# HTTPS certificate
-[[tls]]
- # ...
-
-[[tls]]
- # ...
-```
-
-##### TOML Templating
-
-!!! warning
- TOML templating can only be used **if rules are defined in one or more separate files**.
- Templating will not work in the Traefik configuration file.
-
-Traefik allows using TOML templating.
-
-Thus, it's possible to define easily lot of Backends, Frontends and TLS certificates as described in the file `template-rules.toml` :
-
-```toml
-# template-rules.toml
-[backends]
-{{ range $i, $e := until 100 }}
- [backends.backend{{ $e }}]
- #...
-{{ end }}
-
-[frontends]
-{{ range $i, $e := until 100 }}
- [frontends.frontend{{ $e }}]
- #...
-{{ end }}
-
-
-# HTTPS certificate
-{{ range $i, $e := until 100 }}
-[[tls]]
- #...
-{{ end }}
-```
diff --git a/old/docs/configuration/backends/kubernetes.md b/old/docs/configuration/backends/kubernetes.md
deleted file mode 100644
index 810144233..000000000
--- a/old/docs/configuration/backends/kubernetes.md
+++ /dev/null
@@ -1,389 +0,0 @@
-# Kubernetes Ingress Provider
-
-Traefik can be configured to use Kubernetes Ingress as a provider.
-
-See also [Kubernetes user guide](/user-guide/kubernetes).
-
-## Configuration
-
-```toml
-################################################################
-# Kubernetes Ingress Provider
-################################################################
-
-# Enable Kubernetes Ingress Provider.
-[kubernetes]
-
-# Kubernetes server endpoint.
-#
-# Optional for in-cluster configuration, required otherwise.
-# Default: empty
-#
-# endpoint = "http://localhost:8080"
-
-# Bearer token used for the Kubernetes client configuration.
-#
-# Optional
-# Default: empty
-#
-# token = "my token"
-
-# Path to the certificate authority file.
-# Used for the Kubernetes client configuration.
-#
-# Optional
-# Default: empty
-#
-# certAuthFilePath = "/my/ca.crt"
-
-# Array of namespaces to watch.
-#
-# Optional
-# Default: all namespaces (empty array).
-#
-# namespaces = ["default", "production"]
-
-# Ingress label selector to filter Ingress objects that should be processed.
-#
-# Optional
-# Default: empty (process all Ingresses)
-#
-# labelselector = "A and not B"
-
-# Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
-# If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
-# Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
-#
-# Optional
-# Default: empty
-#
-# ingressClass = "traefik-internal"
-
-# Disable PassHost Headers.
-#
-# Optional
-# Default: false
-#
-# disablePassHostHeaders = true
-
-# Enable PassTLSCert Headers.
-#
-# Optional
-# Default: false
-#
-# enablePassTLSCert = true
-
-# Override default configuration template.
-#
-# Optional
-# Default:
-#
-# filename = "kubernetes.tmpl"
-
-# Enable IngressEndpoint configuration.
-# This will allow Traefik to update the status section of ingress objects, if desired.
-#
-# Optional
-#
-# [kubernetes.ingressEndpoint]
-#
-# At least one must be configured.
-# `publishedservice` will override the `hostname` and `ip` settings if configured.
-#
-# hostname = "localhost"
-# ip = "127.0.0.1"
-# publishedService = "namespace/servicename"
-```
-
-### `endpoint`
-
-The Kubernetes server endpoint as URL.
-
-When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` to construct the endpoint.
-
-The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are provided mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
-### `labelselector`
-
-By default, Traefik processes all Ingress objects in the configured namespaces.
-A label selector can be defined to filter on specific Ingress objects only.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
-### `ingressEndpoint`
-
-You can configure a static hostname or IP address that Traefik will add to the status section of Ingress objects that it manages.
-If you prefer, you can provide a service, which traefik will copy the status spec from.
-This will give more flexibility in cloud/dynamic environments.
-
-### TLS communication between Traefik and backend pods
-
-Traefik automatically requests endpoint information based on the service provided in the ingress spec.
-Although traefik will connect directly to the endpoints (pods), it still checks the service port to see if TLS communication is required.
-
-There are 3 ways to configure Traefik to use https to communicate with backend pods:
-
-1. If the service port defined in the ingress spec is 443 (note that you can still use `targetPort` to use a different port on your pod).
-2. If the service port defined in the ingress spec has a name that starts with `https` (such as `https-api`, `https-web` or just `https`).
-3. If the ingress spec includes the annotation `ingress.kubernetes.io/protocol: https`.
-
-If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.
-
-!!! note
- Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name.
- If this is not an option, you may need to skip TLS certificate verification.
- See the [insecureSkipVerify](/configuration/commons/#main-section) setting for more details.
-
-## Annotations
-
-### General annotations
-
-The following general annotations are applicable on the Ingress object:
-
-| Annotation | Description |
-|---------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.ingress.kubernetes.io/app-root: "/index.html"` | Redirects all requests for `/` to the defined path. (1) |
-| `traefik.ingress.kubernetes.io/error-pages: ` | See [custom error pages](/configuration/commons/#custom-error-pages) section. (2) |
-| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https` | Override the default frontend endpoints. |
-| `traefik.ingress.kubernetes.io/pass-client-tls-cert: ` | Forward the client certificate following the configuration in YAML. (3) |
-| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"` | Override the default frontend PassTLSCert value. Default: `false`.(DEPRECATED) |
-| `traefik.ingress.kubernetes.io/preserve-host: "true"` | Forward client `Host` header to the backend. |
-| `traefik.ingress.kubernetes.io/priority: "3"` | Override the default frontend rule priority. |
-| `traefik.ingress.kubernetes.io/rate-limit: ` | See [rate limiting](/configuration/commons/#rate-limiting) section. (4) |
-| `traefik.ingress.kubernetes.io/redirect-entry-point: https` | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS). |
-| `traefik.ingress.kubernetes.io/redirect-permanent: "true"` | Return 301 instead of 302. |
-| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`. |
-| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`. |
-| `traefik.ingress.kubernetes.io/request-modifier: AddPrefix: /users` | Adds a [request modifier](/basics/#modifiers) to the backend request. |
-| `traefik.ingress.kubernetes.io/rewrite-target: /users` | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header. |
-| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip` | Overrides the default frontend rule type. Only path-related matchers can be specified [(`Path`, `PathPrefix`, `PathStrip`, `PathPrefixStrip`)](/basics/#path-matcher-usage-guidelines).(5) |
-| `traefik.ingress.kubernetes.io/request-modifier: AddPrefix: /users` | Add a [request modifier](/basics/#modifiers) to the backend request. |
-| `traefik.ingress.kubernetes.io/service-weights: ` | Set ingress backend weights specified as percentage or decimal numbers in YAML. (6) |
-| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access (7). |
-| `traefik.ingress.kubernetes.io/whiteList-ipstrategy=true` | Uses the default IPStrategy.
Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
-| `traefik.ingress.kubernetes.io/whiteList-ipstrategy-depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
-| `traefik.ingress.kubernetes.io/whiteList-ipstrategy-excludedIPs=127.0.0. 1` | See [whitelist](/configuration/entrypoints/#white-listing) |
-| `ingress.kubernetes.io/protocol: ` | Set the protocol Traefik will use to communicate with pods. Acceptable protocols: http,https,h2c |
-
-<1> `traefik.ingress.kubernetes.io/app-root`:
-Non-root paths will not be affected by this annotation and handled normally.
-This annotation may not be combined with other redirect annotations.
-Trying to do so will result in the other redirects being ignored.
-This annotation can be used in combination with `traefik.ingress.kubernetes.io/redirect-permanent` to configure whether the `app-root` redirect is a 301 or a 302.
-
-<2> `traefik.ingress.kubernetes.io/error-pages` example:
-
-```yaml
-foo:
- status:
- - "404"
- backend: bar
- query: /bar
-fii:
- status:
- - "503"
- - "500"
- backend: bar
- query: /bir
-```
-
-<3> `traefik.ingress.kubernetes.io/pass-client-tls-cert` example:
-
-```yaml
-# add escaped pem in the `X-Forwarded-Tls-Client-Cert` header
-pem: true
-# add escaped certificate following infos in the `X-Forwarded-Tls-Client-Cert-Infos` header
-infos:
- notafter: true
- notbefore: true
- sans: true
- subject:
- country: true
- province: true
- locality: true
- organization: true
- commonname: true
- serialnumber: true
-```
-
-If `pem` is set, it will add a `X-Forwarded-Tls-Client-Cert` header that contains the escaped pem as value.
-If at least one flag of the `infos` part is set, it will add a `X-Forwarded-Tls-Client-Cert-Infos` header that contains an escaped string composed of the client certificate data selected by the infos flags.
-This infos part is composed like the following example (not escaped):
-```Subject="C=FR,ST=SomeState,L=Lyon,O=Cheese,CN=*.cheese.org",NB=1531900816,NA=1563436816,SAN=*.cheese.org,*.cheese.net,cheese.in,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2```
-
-<4> `traefik.ingress.kubernetes.io/rate-limit` example:
-
-```yaml
-extractorfunc: client.ip
-rateset:
- bar:
- period: 3s
- average: 6
- burst: 9
- foo:
- period: 6s
- average: 12
- burst: 18
-```
-
-<5> `traefik.ingress.kubernetes.io/rule-type`
-Note: `ReplacePath` is deprecated in this annotation, use the `traefik.ingress.kubernetes.io/request-modifier` annotation instead. Default: `PathPrefix`.
-
-<6> `traefik.ingress.kubernetes.io/service-weights`:
-Service weights enable to split traffic across multiple backing services in a fine-grained manner.
-
-Example:
-
-```yaml
-service_backend1: 12.50%
-service_backend2: 12.50%
-service_backend3: 75 # Same as 75%, the percentage sign is optional
-```
-
-A single service backend definition may be omitted; in this case, Traefik auto-completes that service backend to 100% automatically.
-Conveniently, users need not bother to compute the percentage remainder for a main service backend.
-For instance, in the example above `service_backend3` does not need to be specified to be assigned 75%.
-
-!!! note
- For each service weight given, the Ingress specification must include a backend item with the corresponding `serviceName` and (if given) matching path.
-
-Currently, 3 decimal places for the weight are supported.
-An attempt to exceed the precision should be avoided as it may lead to percentage computation flaws and, in consequence, Ingress parsing errors.
-
-For each path definition, this annotation will fail if:
-
-- the sum of backend weights exceeds 100% or
-- the sum of backend weights is less than 100% without one or more omitted backends
-
-See also the [user guide section traffic splitting](/user-guide/kubernetes/#traffic-splitting).
-
-<7> `traefik.ingress.kubernetes.io/whitelist-source-range`:
-All source IPs are permitted if the list is empty or a single range is ill-formatted.
-Please note, you may have to set `service.spec.externalTrafficPolicy` to the value `Local` to preserve the source IP of the request for filtering.
-Please see [this link](https://kubernetes.io/docs/tutorials/services/source-ip/) for more information.
-
-
-!!! note
- Please note that `traefik.ingress.kubernetes.io/redirect-regex` and `traefik.ingress.kubernetes.io/redirect-replacement` do not have to be set if `traefik.ingress.kubernetes.io/redirect-entry-point` is defined for the redirection (they will not be used in this case).
-
-The following annotations are applicable on the Service object associated with a particular Ingress object:
-
-| Annotation | Description |
-|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.ingress.kubernetes.io/buffering: ` | (1) See the [buffering](/configuration/commons/#buffering) section. |
-| `traefik.ingress.kubernetes.io/affinity: "true"` | Enable backend sticky sessions. |
-| `traefik.ingress.kubernetes.io/circuit-breaker-expression: ` | Set the circuit breaker expression for the backend. |
-| `traefik.ingress.kubernetes.io/responseforwarding-flushinterval: "10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
-| `traefik.ingress.kubernetes.io/load-balancer-method: drr` | Override the default `wrr` load balancer algorithm. |
-| `traefik.ingress.kubernetes.io/max-conn-amount: "10"` | Sets the maximum number of simultaneous connections to the backend.
Must be used in conjunction with the label below to take effect. |
-| `traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by.
Must be used in conjunction with the above label to take effect. |
-| `traefik.ingress.kubernetes.io/session-cookie-name: ` | Manually set the cookie name for sticky sessions. |
-
-<1> `traefik.ingress.kubernetes.io/buffering` example:
-
-```yaml
-maxrequestbodybytes: 10485760
-memrequestbodybytes: 2097153
-maxresponsebodybytes: 10485761
-memresponsebodybytes: 2097152
-retryexpression: IsNetworkError() && Attempts() <= 2
-```
-
-!!! note
- `traefik.ingress.kubernetes.io/` and `ingress.kubernetes.io/` are supported prefixes.
-
-### Custom Headers Annotations
-
-| Annotation | Description |
-| ------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/custom-request-headers: EXPR` | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: HEADER:value||HEADER2:value2
|
-| `ingress.kubernetes.io/custom-response-headers: EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: HEADER:value||HEADER2:value2
|
-
-### Security Headers Annotations
-
-The following security annotations are applicable on the Ingress object:
-
-| Annotation | Description |
-| ----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/allowed-hosts: EXPR` | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2` |
-| `ingress.kubernetes.io/browser-xss-filter: "true"` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
-| `ingress.kubernetes.io/content-security-policy: VALUE` | Adds CSP Header with the custom value. |
-| `ingress.kubernetes.io/content-type-nosniff: "true"` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
-| `ingress.kubernetes.io/custom-browser-xss-value: VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
-| `ingress.kubernetes.io/custom-frame-options-value: VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
-| `ingress.kubernetes.io/force-hsts: "false"` | Adds the STS header to non-SSL requests. |
-| `ingress.kubernetes.io/frame-deny: "true"` | Adds the `X-Frame-Options` header with the value of `DENY`. |
-| `ingress.kubernetes.io/hsts-max-age: "315360000"` | Sets the max-age of the HSTS header. |
-| `ingress.kubernetes.io/hsts-include-subdomains: "true"` | Adds the IncludeSubdomains section of the STS header. |
-| `ingress.kubernetes.io/hsts-preload: "true"` | Adds the preload flag to the HSTS header. |
-| `ingress.kubernetes.io/is-development: "false"` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. |
-| `ingress.kubernetes.io/proxy-headers: EXPR` | Provides a list of headers that the proxied hostname may be stored. Format: `HEADER1,HEADER2` |
-| `ingress.kubernetes.io/public-key: VALUE` | Adds HPKP header. |
-| `ingress.kubernetes.io/referrer-policy: VALUE` | Adds referrer policy header. |
-| `ingress.kubernetes.io/ssl-redirect: "true"` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
-| `ingress.kubernetes.io/ssl-temporary-redirect: "true"` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
-| `ingress.kubernetes.io/ssl-host: HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
-| `ingress.kubernetes.io/ssl-force-host: "true"` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
-| `ingress.kubernetes.io/ssl-proxy-headers: EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: HEADER:value||HEADER2:value2
|
-
-### Authentication
-
-Additional authentication annotations can be added to the Ingress object.
-The source of the authentication is a Secret object that contains the credentials.
-
-| Annotation | basic | digest | forward | Description |
-|----------------------------------------------------------------------|-------|--------|---------|-------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/auth-type: basic` | x | x | x | Contains the authentication type: `basic`, `digest`, `forward`. |
-| `ingress.kubernetes.io/auth-secret: mysecret` | x | x | | Name of Secret containing the username and password with access to the paths defined in the Ingress object. |
-| `ingress.kubernetes.io/auth-remove-header: true` | x | x | | If set to `true` removes the `Authorization` header. |
-| `ingress.kubernetes.io/auth-header-field: X-WebAuth-User` | x | x | | Pass Authenticated user to application via headers. |
-| `ingress.kubernetes.io/auth-url: https://example.com` | | | x | [The URL of the authentication server](/configuration/entrypoints/#forward-authentication). |
-| `ingress.kubernetes.io/auth-trust-headers: false` | | | x | Trust `X-Forwarded-*` headers. |
-| `ingress.kubernetes.io/auth-response-headers: X-Auth-User, X-Secret` | | | x | Copy headers from the authentication server to the request. |
-| `ingress.kubernetes.io/auth-tls-secret: secret` | | | x | Name of Secret containing the certificate and key for the forward auth. |
-| `ingress.kubernetes.io/auth-tls-insecure` | | | x | If set to `true` invalid SSL certificates are accepted. |
-
-The secret must be created in the same namespace as the Ingress object.
-
-The following limitations hold for basic/digest auth:
-
-- The realm is not configurable; the only supported (and default) value is `traefik`.
-- The Secret must contain a single file only.
-
-### TLS certificates management
-
-TLS certificates can be managed in Secrets objects.
-More information are available in the [User Guide](/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress).
-
-!!! note
- Only TLS certificates provided by users can be stored in Kubernetes Secrets.
- [Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet.
-
-### Global Default Backend Ingresses
-
-Ingresses can be created that look like the following:
-
-```yaml
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: cheese
-spec:
- backend:
- serviceName: stilton
- servicePort: 80
-```
-
-This ingress follows the [Global Default Backend](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) property of ingresses.
-This will allow users to create a "default backend" that will match all unmatched requests.
-
-!!! note
- Due to Traefik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment, to avoid this global ingress from satisfying requests that _could_ match other ingresses.
- To do this, use the `traefik.ingress.kubernetes.io/priority` annotation (as seen in [General Annotations](/configuration/backends/kubernetes/#general-annotations)) on your ingresses accordingly.
diff --git a/old/docs/configuration/backends/marathon.md b/old/docs/configuration/backends/marathon.md
deleted file mode 100644
index 18eba6c7a..000000000
--- a/old/docs/configuration/backends/marathon.md
+++ /dev/null
@@ -1,415 +0,0 @@
-# Marathon Provider
-
-Traefik can be configured to use Marathon as a provider.
-
-See also [Marathon user guide](/user-guide/marathon).
-
-
-## Configuration
-
-```toml
-################################################################
-# Mesos/Marathon Provider
-################################################################
-
-# Enable Marathon Provider.
-[marathon]
-
-# Marathon server endpoint.
-# You can also specify multiple endpoint for Marathon:
-# endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-#
-# Required
-# Default: "http://127.0.0.1:8080"
-#
-endpoint = "http://127.0.0.1:8080"
-
-# Enable watch Marathon changes.
-#
-# Optional
-# Default: true
-#
-watch = true
-
-# Default base domain used for the frontend rules.
-# Can be overridden by setting the "traefik.domain" label on an application.
-#
-# Required
-#
-domain = "marathon.localhost"
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "marathon.tmpl"
-
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
-
-# Expose Marathon apps by default in Traefik.
-#
-# Optional
-# Default: true
-#
-# exposedByDefault = false
-
-# Convert Marathon groups to subdomains.
-# Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
-# with groupsAsSubDomains enabled: /foo/bar/myapp => myapp.bar.foo.{defaultDomain}
-#
-# Optional
-# Default: false
-#
-# groupsAsSubDomains = true
-
-# Enable compatibility with marathon-lb labels.
-#
-# Optional
-# Default: false
-#
-# marathonLBCompatibility = true
-
-# Enable filtering using Marathon constraints..
-# If enabled, Traefik will read Marathon constraints, as defined in https://mesosphere.github.io/marathon/docs/constraints.html
-# Each individual constraint will be treated as a verbatim compounded tag.
-# i.e. "rack_id:CLUSTER:rack-1", with all constraint groups concatenated together using ":"
-#
-# Optional
-# Default: false
-#
-# filterMarathonConstraints = true
-
-# Enable Marathon basic authentication.
-#
-# Optional
-#
-# [marathon.basic]
-# httpBasicAuthUser = "foo"
-# httpBasicPassword = "bar"
-
-# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
-#
-# Optional
-#
-# [marathon.TLS]
-# CA = "/etc/ssl/ca.crt"
-# Cert = "/etc/ssl/marathon.cert"
-# Key = "/etc/ssl/marathon.key"
-# insecureSkipVerify = true
-
-# DCOSToken for DCOS environment.
-# This will override the Authorization header.
-#
-# Optional
-#
-# dcosToken = "xxxxxx"
-
-# Override DialerTimeout.
-# Amount of time to allow the Marathon provider to wait to open a TCP connection
-# to a Marathon master.
-# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
-# values (digits).
-# If no units are provided, the value is parsed assuming seconds.
-#
-# Optional
-# Default: "5s"
-#
-# dialerTimeout = "5s"
-
-# Override ResponseHeaderTimeout.
-# Amount of time to allow the Marathon provider to wait until the first response
-# header from the Marathon master is received.
-# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
-# values (digits).
-# If no units are provided, the value is parsed assuming seconds.
-#
-# Optional
-# Default: "60s"
-#
-# responseHeaderTimeout = "60s"
-
-# Override TLSHandshakeTimeout.
-# Amount of time to allow the Marathon provider to wait until the TLS
-# handshake completes.
-# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
-# values (digits).
-# If no units are provided, the value is parsed assuming seconds.
-#
-# Optional
-# Default: "5s"
-#
-# TLSHandshakeTimeout = "5s"
-
-# Set the TCP Keep Alive interval for the Marathon HTTP Client.
-# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
-# values (digits).
-# If no units are provided, the value is parsed assuming seconds.
-#
-# Optional
-# Default: "10s"
-#
-# keepAlive = "10s"
-
-# By default, a task's IP address (as returned by the Marathon API) is used as
-# backend server if an IP-per-task configuration can be found; otherwise, the
-# name of the host running the task is used.
-# The latter behavior can be enforced by enabling this switch.
-#
-# Optional
-# Default: false
-#
-# forceTaskHostname = true
-
-# Applications may define readiness checks which are probed by Marathon during
-# deployments periodically and the results exposed via the API.
-# Enabling the following parameter causes Traefik to filter out tasks
-# whose readiness checks have not succeeded.
-# Note that the checks are only valid at deployment times.
-# See the Marathon guide for details.
-#
-# Optional
-# Default: false
-#
-# respectReadinessChecks = true
-```
-
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
-
-## Labels: overriding default behavior
-
-Marathon labels may be used to dynamically change the routing and forwarding behavior.
-
-They may be specified on one of two levels: Application or service.
-
-### Application Level
-
-The following labels can be defined on Marathon applications. They adjust the behavior for the entire application.
-
-| Label | Description |
-|---------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain` | Sets the default base domain used for the frontend rules. |
-| `traefik.enable=false` | Disables this container in Traefik. |
-| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. |
-| `traefik.portIndex=1` | Registers port by index in the application's ports array. Useful when the application exposes multiple ports. |
-| `traefik.protocol=https` | Overrides the default `http` protocol. |
-| `traefik.weight=10` | Assigns this weight to the container. |
-| `traefik.backend=foo` | Overrides the application name by `foo` in the generated name of the backend. |
-| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
-| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
-| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
-| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
-| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. (Default: 30s) |
-| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. (Default: 5s) |
-| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
-| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
-| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
-| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers
Format: HEADER:value||HEADER2:value2
|
-| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
-| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions |
-| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.
Must be used in conjunction with the below label to take effect. |
-| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.
Must be used in conjunction with the above label to take effect. |
-| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
-| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
-| `traefik.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
-| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
-| `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
-| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
-| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
-| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
-| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
-| `traefik.frontend.auth.removeHeader=true` | If set to true, removes the Authorization header. |
-| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.
Overrides `defaultEntryPoints` |
-| `traefik.frontend.errors..backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `traefik.frontend.errors..query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `traefik.frontend.errors..status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
-| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`| Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`| Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
-| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
-| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
-| `traefik.frontend.priority=10` | Overrides default frontend priority |
-| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.rateLimit.rateSet..period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.rateLimit.rateSet..average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.rateLimit.rateSet..burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
-| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.replacement`. |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.regex`. |
-| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
-| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{sub_domain}.{domain}`. |
-| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.
An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.
Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
-| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
-| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
-
-#### Custom Headers
-
-| Label | Description |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.
Format: HEADER:value||HEADER2:value2
|
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.
Format: HEADER:value||HEADER2:value2
|
-|
-
-#### Security Headers
-
-| Label | Description |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.
Format: `Host1,Host2` |
-| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
-| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
-| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
-| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.
Format: `HEADER1,HEADER2` |
-| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
-| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
-| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
-| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
-| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).
Format: HEADER:value||HEADER2:value2
|
-| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
-| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
-| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
-
-### Applications with Multiple Ports (segment labels)
-
-Segment labels are used to define routes to an application exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by an application.
-You can define as many segments as ports exposed in an application.
-
-Segment labels override the default behavior.
-
-| Label | Description |
-|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|
-| `traefik..backend=BACKEND` | Same as `traefik.backend` |
-| `traefik..domain=DOMAIN` | Same as `traefik.domain` |
-| `traefik..portIndex=1` | Same as `traefik.portIndex` |
-| `traefik..port=PORT` | Same as `traefik.port` |
-| `traefik..protocol=http` | Same as `traefik.protocol` |
-| `traefik..weight=10` | Same as `traefik.weight` |
-| `traefik..frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
-| `traefik.